Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR

Ken Raeburn raeburn at MIT.EDU
Wed Jun 18 16:54:04 EDT 2008

On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
> I believe that the meaning of allow_tix should be altered such that  
> it only applies to the client
> in a TGS or AS request.  This would permit -allow_tix to be applied  
> to a service principal
> and ensure that no client ticket requests can be satisfied for that  
> service principal while at
> the same time permitting other principals to obtain service tickets.
> Organizations that wish to disable the issuance of service tickets  
> for the service principal
> would apply -allow_svr to the principal in addition to -allow_tix.

I think it should be pointed out that such a change would allow  
tickets to start being issued where currently they would not when the  
KDC software gets updated -- even if the latter really was the intent  
of the realm administrator.  Because of that, we might instead want to  
create a new flag with the semantics Jeff wants, and leave the  
existing flag with its current (suboptimal) behavior.


More information about the krbdev mailing list