Support for X509 certificate PKINIT auth in kadmin

[Ken Hornstein]

>I believe, kadmin using password/ keytab based authentication doesnt
>require kadmin/admin principal's service ticket when trying to
>connect to kadmind server.

I ... am not sure what you mean here?

What happens INTERNALLY inside of kadmin is kadmin is basically running
"kinit -S kadmin/admin" for you (or it might be using the admin host
specific service principal).  What I suggested to you in that link was
just doing that explicitly.

>Despite setting DISALLOW_TGT_BASED and
> DISALLOW_SVR on kadmin/admin  principal, I can use password/keytab
>based auth in my kadmin command and connect to kadmind & get the kadmin
>prompt.e.g. kadmin -p <xyz>/admin -kt xyzadmin.keytab NOTE: setting
>DISALLOW_SVR on service principals like kadmin/admin might be a personal
>choice.

Well, I am a LITTLE puzzled as to how you could possibly use kadmin at
all if you set DISALLOW_SVR on kadmin/admin!  You would think that would
reject the request in in the AS-REQ code path.  Are you sure that you're
not actually using the kadmin/admin.host service principal instead??

>Where as, PKINIT X.509 certificate based pre-auth doesnt give
>me the service ticket for kadmin/admin (when DISALLOW_SVR is set) via
>kinit e.g. kinit -X <X509-CERT&KEY-of-xyz/admin> -S kadmin/admin
><xyz/admin>thus kadmin -c <credentials_cache> wouldnt work  and cant
>connect to kadmind.  Its essential that kadmin also supports -X X509
>Certificate /PKINIT based pre-auth (instead of getting the TGT & ST via
>kinit into credentials cache) similar to password/keytab based auth.

It's important to understand that in the normal design of things you
wouldn't use the -X option to kinit; it would get that configuration out
of krb5.conf via the pkinit_identities relation.  If that's configured
correctly then things should work in kadmin.

--Ken