Support for X509 certificate PKINIT auth in kadmin

vineeth shyam vineethshyam at
Wed Mar 29 12:07:26 EDT 2023

 Thanks Ken.

I believe, kadmin using password/ keytab based authentication doesnt require kadmin/admin principal's service ticket when trying to connect to kadmind server.
Despite setting DISALLOW_TGT_BASED and  DISALLOW_SVR on kadmin/admin  principal, I can use password/keytab based auth in my kadmin command and connect to kadmind & get the kadmin prompt.e.g. kadmin -p <xyz>/admin -kt xyzadmin.keytab
NOTE: setting DISALLOW_SVR on service principals like kadmin/admin might be a personal choice.
Where as, PKINIT X.509 certificate based pre-auth doesnt give me the service ticket for kadmin/admin (when DISALLOW_SVR is set) via kinit e.g. kinit -X <X509-CERT&KEY-of-xyz/admin> -S kadmin/admin <xyz/admin>thus kadmin -c <credentials_cache> wouldnt work  and cant connect to kadmind.
Its essential that kadmin also supports -X X509 Certificate /PKINIT based pre-auth (instead of getting the TGT & ST via kinit into credentials cache) similar to password/keytab based auth.

    On Wednesday, 29 March 2023 at 06:00:13 PM IST, Ken Hornstein <kenh at> wrote:  
 >The kadmin client connects to MIT Kerberos kadmin server using
>password-based or keytab authentication. Although it supports anonymous
>PKINIT, it would be good if kadmin client can also accept X.509 PKINIT
>certificate based authentication just like how kinit does.

As far as I can tell, _if_ you have everything configured correctly
then you can use PKINIT with kadmin just fine (both kadmin and kinit
end up calling the same function, krb5_get_init_creds_password(),
which should do all of the same magic if the principal you are using
is configured for PKINIT).

If you're talking about the fact that kadmin doesn't support something
like the "-X X509_user_identity" option that kinit does, well, I explained
how to work around that here:

I personally would have no objections if kadmin added support for that,
but a quick glance at the source code suggests to me it would require
some not-insignificant kadm5 API changes.


More information about the krbdev mailing list