Cross realm kadmin
Greg Hudson
ghudson at mit.edu
Mon Mar 25 12:16:36 EDT 2019
On 3/25/19 7:28 AM, Kenneth MacDonald wrote:
> If this behaviour is impossible, I will have to ensure all my
> management hosts default to the same realm that they are managing. Or
> is there something I am missing?
I don't think it can work with kadmin -k (authenticating from keytab),
because kadmin will try to use the keytab to directly get credentials
for the server realm with an AS request. Since is no cross-realm for AS
requests, it winds up getting credentials for the client realm instead.
I was able to make cross-realm kadmin work in a test environment with
kadmin -c. I ran kinit normally, then used kvno to explicitly get
tickets for kadmin/admin at TEST. The kvno step is necessary because
kadmin -c expects the necessary credential to already be present in the
ccache; it won't make a TGS request for them. Then I ran kadmin -c
/path/to/ccache -r TEST. Of course I also had to remove the
DISALLOW_TGT_BASED flag from the kadmin/admin at TEST principal entry, as
you did in your tests.
More information about the Kerberos
mailing list