Greg Hudson wrote: > On Tue, 2009-03-24 at 17:25 +0100, Frank Gruellich wrote: >> But for some reason it does not work with the kadmin/admin service >> principal: > If you go into kadmin and run "getprinc kadmin/admin", you should see: > > Attributes: DISALLOW_TGT_BASED > > which means you can only get a ticket for this principal with an initial > ticket request and not with a TGT. You can change this with "modprinc > +allow_tgs_req kadmin/admin"
True, works. Thanks. > but I believe that would compromise the requirement that people have > to reenter their passwords in order to run kadmin. But that's, in fact, my intention. I know, that kadmin is some kind of critical tool. If security aspects are the only problem with this set up I'll drop them. I accept that kadmin/admin service is just something like host/eloy.example.com. > For the purposes of your script, you can either treat a "KDC policy > rejects request" error as an indication that the principal exists, or > you can assume you won't run into that situation on any of the > principals you are managing with the script. Oh, that's a good idea, too. But at some point the script's caller has to do changes to the KDC database, so I need the kadmin/admin ticket anyway. Thanks a lot for your help. Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems and Networks Duesseldorfer Strasse 40a 65760 Eschborn Germany Phone: +49 6196 77756-414 Fax: +49 6196 77756-100 USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob, Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
