Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR

Nicolas Williams Nicolas.Williams at
Wed Jun 18 17:13:44 EDT 2008

On Wed, Jun 18, 2008 at 04:54:04PM -0400, Ken Raeburn wrote:
> On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
> > I believe that the meaning of allow_tix should be altered such that  
> > it only applies to the client
> > in a TGS or AS request.  This would permit -allow_tix to be applied  
> > to a service principal
> > and ensure that no client ticket requests can be satisfied for that  
> > service principal while at
> > the same time permitting other principals to obtain service tickets.
> > Organizations that wish to disable the issuance of service tickets  
> > for the service principal
> > would apply -allow_svr to the principal in addition to -allow_tix.
> I think it should be pointed out that such a change would allow  
> tickets to start being issued where currently they would not when the  
> KDC software gets updated -- even if the latter really was the intent  
> of the realm administrator.  Because of that, we might instead want to  
> create a new flag with the semantics Jeff wants, and leave the  
> existing flag with its current (suboptimal) behavior.

Or provide a migration script.

More information about the krbdev mailing list