>Kerberos FAQ states its possible (althoug does not recommend) >we can refer foreign principals giving them rights in kadm5.acl >file if we trust foreign KDC.
Are you sure it says that? As the author of the Kerberos FAQ, I can't find that (it does mention about ACLs, but doesn't specifically mention kadm5.acl). >Since we have a multi-realm KDC and in real life the same >people will manage those realms, I'd like to give permissions >to the same principal and if possible I wouldn't like >create user/admin@REALM1, user/admin@REALM2. I just want to >insert a entry for user/admin@REALM1 in kadm5.acl file >for each domain. Unfortunately ... because kadmin/admin is set to only allow AS_REQ based requests (which you don't want to change, trust me) and there's no way to do cross-realm without a TGS-based request, then you're stuck. You can't do what you want. --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
