Support for X509 certificate PKINIT auth in kadmin

vineeth shyam vineethshyam at
Wed Mar 29 12:55:09 EDT 2023

 Sorry for the confusion. I only set the DISALLOW_SVR on kadmin/admin and not kadmin/ prinicipal
Once I set the DISALLOW_SVR on kadmin/  princ, even kadmin using keytab auth doesnt work.  
Thank you for the explanation.

    On Wednesday, 29 March 2023 at 09:50:21 PM IST, Ken Hornstein <kenh at> wrote:  
 >I believe, kadmin using password/ keytab based authentication doesnt
>require kadmin/admin principal's service ticket when trying to
>connect to kadmind server.

I ... am not sure what you mean here?

What happens INTERNALLY inside of kadmin is kadmin is basically running
"kinit -S kadmin/admin" for you (or it might be using the admin host
specific service principal).  What I suggested to you in that link was
just doing that explicitly.

>Despite setting DISALLOW_TGT_BASED and
> DISALLOW_SVR on kadmin/admin  principal, I can use password/keytab
>based auth in my kadmin command and connect to kadmind & get the kadmin
>prompt.e.g. kadmin -p <xyz>/admin -kt xyzadmin.keytab NOTE: setting
>DISALLOW_SVR on service principals like kadmin/admin might be a personal

Well, I am a LITTLE puzzled as to how you could possibly use kadmin at
all if you set DISALLOW_SVR on kadmin/admin!  You would think that would
reject the request in in the AS-REQ code path.  Are you sure that you're
not actually using the kadmin/ service principal instead??

>Where as, PKINIT X.509 certificate based pre-auth doesnt give
>me the service ticket for kadmin/admin (when DISALLOW_SVR is set) via
>kinit e.g. kinit -X <X509-CERT&KEY-of-xyz/admin> -S kadmin/admin
><xyz/admin>thus kadmin -c <credentials_cache> wouldnt work  and cant
>connect to kadmind.  Its essential that kadmin also supports -X X509
>Certificate /PKINIT based pre-auth (instead of getting the TGT & ST via
>kinit into credentials cache) similar to password/keytab based auth.

It's important to understand that in the normal design of things you
wouldn't use the -X option to kinit; it would get that configuration out
of krb5.conf via the pkinit_identities relation.  If that's configured
correctly then things should work in kadmin.


More information about the krbdev mailing list