On Wed, Jun 18, 2008 at 04:54:04PM -0400, Ken Raeburn wrote: > On Jun 18, 2008, at 16:33, Jeffrey Altman wrote: > > I believe that the meaning of allow_tix should be altered such that > > it only applies to the client > > in a TGS or AS request. This would permit -allow_tix to be applied > > to a service principal > > and ensure that no client ticket requests can be satisfied for that > > service principal while at > > the same time permitting other principals to obtain service tickets. > > Organizations that wish to disable the issuance of service tickets > > for the service principal > > would apply -allow_svr to the principal in addition to -allow_tix. > > I think it should be pointed out that such a change would allow > tickets to start being issued where currently they would not when the > KDC software gets updated -- even if the latter really was the intent > of the realm administrator. Because of that, we might instead want to > create a new flag with the semantics Jeff wants, and leave the > existing flag with its current (suboptimal) behavior.
Or provide a migration script. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos