Support for X509 certificate PKINIT auth in kadmin
vineethshyam at yahoo.com
Wed Mar 29 12:55:09 EDT 2023
Sorry for the confusion. I only set the DISALLOW_SVR on kadmin/admin and not kadmin/admin.host prinicipal
Once I set the DISALLOW_SVR on kadmin/admin.host princ, even kadmin using keytab auth doesnt work.
Thank you for the explanation.
On Wednesday, 29 March 2023 at 09:50:21 PM IST, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>I believe, kadmin using password/ keytab based authentication doesnt
>require kadmin/admin principal's service ticket when trying to
>connect to kadmind server.
I ... am not sure what you mean here?
What happens INTERNALLY inside of kadmin is kadmin is basically running
"kinit -S kadmin/admin" for you (or it might be using the admin host
specific service principal). What I suggested to you in that link was
just doing that explicitly.
>Despite setting DISALLOW_TGT_BASED and
> DISALLOW_SVR on kadmin/admin principal, I can use password/keytab
>based auth in my kadmin command and connect to kadmind & get the kadmin
>prompt.e.g. kadmin -p <xyz>/admin -kt xyzadmin.keytab NOTE: setting
>DISALLOW_SVR on service principals like kadmin/admin might be a personal
Well, I am a LITTLE puzzled as to how you could possibly use kadmin at
all if you set DISALLOW_SVR on kadmin/admin! You would think that would
reject the request in in the AS-REQ code path. Are you sure that you're
not actually using the kadmin/admin.host service principal instead??
>Where as, PKINIT X.509 certificate based pre-auth doesnt give
>me the service ticket for kadmin/admin (when DISALLOW_SVR is set) via
>kinit e.g. kinit -X <X509-CERT&KEY-of-xyz/admin> -S kadmin/admin
><xyz/admin>thus kadmin -c <credentials_cache> wouldnt work and cant
>connect to kadmind. Its essential that kadmin also supports -X X509
>Certificate /PKINIT based pre-auth (instead of getting the TGT & ST via
>kinit into credentials cache) similar to password/keytab based auth.
It's important to understand that in the normal design of things you
wouldn't use the -X option to kinit; it would get that configuration out
of krb5.conf via the pkinit_identities relation. If that's configured
correctly then things should work in kadmin.
More information about the krbdev