Cross realm kadmin

Kenneth MacDonald Kenneth.MacDonald at
Mon Mar 25 13:39:30 EDT 2019

On Mon, 2019-03-25 at 12:16 -0400, Greg Hudson wrote:
> On 3/25/19 7:28 AM, Kenneth MacDonald wrote:
> > If this behaviour is impossible, I will have to ensure all my
> > management hosts default to the same realm that they are
> > managing.  Or
> > is there something I am missing?
> I don't think it can work with kadmin -k (authenticating from
> keytab),
> because kadmin will try to use the keytab to directly get credentials
> for the server realm with an AS request.  Since is no cross-realm for
> AS
> requests, it winds up getting credentials for the client realm
> instead.
> I was able to make cross-realm kadmin work in a test environment with
> kadmin -c.  I ran kinit normally, then used kvno to explicitly get
> tickets for kadmin/admin at TEST.  The kvno step is necessary because
> kadmin -c expects the necessary credential to already be present in
> the
> ccache; it won't make a TGS request for them.  Then I ran kadmin -c
> /path/to/ccache -r TEST.  Of course I also had to remove the
> DISALLOW_TGT_BASED flag from the kadmin/admin at TEST principal entry,
> as
> you did in your tests.

Thank you very much for this pointer - I will see if our automation can
be convinced to follow this route if we are willing to accept the lower
security on the TEST realm.



The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the Kerberos mailing list