>>>>> "admin" == Utente amministrativo <[EMAIL PROTECTED]> writes:
admin> we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1 admin> my scripts for users creation/change don't work anymore. admin> They are based on 'kadmin' utility or perl module Authen::Krb5::Admin admin> for remote management on the kerberos and LDAP db. admin> As user/[EMAIL PROTECTED] I am used to do only admin> 'kinit user/[EMAIL PROTECTED]' admin> to grant me LDAP and KERBEROS admin access. admin> All scripts then use the KRB5CCNAME file. admin> Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds admin> refuse to try to use existing krbtgt/[EMAIL PROTECTED] to get the mandatory admin> kadmin/[EMAIL PROTECTED] service ticket. Could you please quote the exact error you get? admin> If I do a 'kinit -s kadmin/admin user/admin' it works but admin> then I can't use that service ticket to access LDAP. I believe that using "kinit -s kadmin/admin user/admin" is the only way that's documented to work. admin> Replacing libkadm5clnt.so with previuos 1.4 version fixes it admin> and after a run of init_with_creds my cache file correctly contains: admin> 08/02/05 12:56:20 08/03/05 12:56:20 krbtgt/[EMAIL PROTECTED] admin> 08/02/05 12:56:28 08/03/05 12:56:20 kadmin/[EMAIL PROTECTED] admin> 08/02/05 12:56:28 08/03/05 12:56:20 ldap/[EMAIL PROTECTED] Your ability to get a kadmin/[EMAIL PROTECTED] ticket using a TGT indicates that your kadmin/krbserver.domain principal doesn't have the DISALLOW_TGT_BASED flag set, which should typically be the case for kadmin-related principals. ---Tom ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
