Cross realm kadmin
Kenneth MacDonald
Kenneth.MacDonald at ed.ac.uk
Mon Mar 25 13:39:30 EDT 2019
On Mon, 2019-03-25 at 12:16 -0400, Greg Hudson wrote:
> On 3/25/19 7:28 AM, Kenneth MacDonald wrote:
> > If this behaviour is impossible, I will have to ensure all my
> > management hosts default to the same realm that they are
> > managing. Or
> > is there something I am missing?
>
> I don't think it can work with kadmin -k (authenticating from
> keytab),
> because kadmin will try to use the keytab to directly get credentials
> for the server realm with an AS request. Since is no cross-realm for
> AS
> requests, it winds up getting credentials for the client realm
> instead.
>
> I was able to make cross-realm kadmin work in a test environment with
> kadmin -c. I ran kinit normally, then used kvno to explicitly get
> tickets for kadmin/admin at TEST. The kvno step is necessary because
> kadmin -c expects the necessary credential to already be present in
> the
> ccache; it won't make a TGS request for them. Then I ran kadmin -c
> /path/to/ccache -r TEST. Of course I also had to remove the
> DISALLOW_TGT_BASED flag from the kadmin/admin at TEST principal entry,
> as
> you did in your tests.
Thank you very much for this pointer - I will see if our automation can
be convinced to follow this route if we are willing to accept the lower
security on the TEST realm.
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the Kerberos
mailing list