kadm5.acl rights for foreign principals

Tue, 12 Mar 2002 10:48:28 -0800 


Hello,

Kerberos FAQ states its possible (althoug does not recommend)
we can refer foreign principals giving them rights in kadm5.acl 
file if we trust foreign KDC.

Since we have a multi-realm KDC and in real life the same
people will manage those realms, I'd like to give permissions
to the same principal and if possible I wouldn't like
create user/admin@REALM1, user/admin@REALM2. I just want to
insert a entry for user/admin@REALM1 in kadm5.acl file
for each domain. 

When I start kadmin client, it aborts with the following
error:

-----
$ kadmin -r REALM1 -s kdc:port -p [EMAIL PROTECTED]
Authenticating as principal [EMAIL PROTECTED] with password.
kadmin: Client/server realm mismatch in initial ticket request while
initializing kadmin interface
-----

I'm monitoring with tcpdump and it does not shows any
traffic between kadmin client workstation and KDC. I tried it
by other way:

--
$ kinit -f [EMAIL PROTECTED]      # works ok

$ kadmin -r REALM1 -s kdc:port -p [EMAIL PROTECTED] -c /tmp/krb5cc_1000
Authenticating as principal [EMAIL PROTECTED] with existing
credentials.
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
--

In this second way, workstation and KDC talks with each other, and
kdc log shows the following lines:
---
Mar 12 15:55:09 rex.ufsm.br krb5kdc[130](info): TGS_REQ (3 etypes {16 3
1}) 200.18.32.104(88): TGT BASED NOT ALLOWED: authtime 1015953641,
[EMAIL PROTECTED] for kadmin/admin@REALM1, KDC policy rejects
request
 ---

I had already done hierarquical cross-realm setup between
REALM1 and SUB.REALM1 and it works for other apps (telnet for
instance). I'm running MIT krb5 v1.2.3.

So the question: is it possible a "foreign" principal receive
admin rights for a database realm ? 
What's the configuration trick for that ?

Thanks in advance.

------------------------------------------------------------------------------
Marcio d'Avila Scheibler - Divisao de Suporte ([EMAIL PROTECTED])
Centro de Processamento de Dados - Campus Universitario - CEP 97105-900
Universidade Federal de Santa Maria - RS - Brasil
=============================================================================

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to