On Thu, 17 Nov 2011, Chris Hecker wrote: > From: Chris Hecker <[email protected]> > To: "[email protected]" <[email protected]> > Date: Thu, 17 Nov 2011 23:49:39 > Subject: 2 preauth questions
... > 2. On a related note, is there any way to default > +requires_preauth on princs? There are password policies, but I > didn't see any way to have attribute policies that would allow > +requires_preauth +disallow_svr as the default for all my princs > created through kadmin manually. When I create accounts using my > perl Authen::Krb5::Admin scripts, I set the flags correctly, of > course, it's just sometimes nice to drop into kadmin quickly to > make a test account. You could use the default_principal_flags setting in the realms section of your kdc.conf file. Then the kdc takes care of some defaults. I've used: default_principal_flags = +postdateable,+forwardable,+tgt-based,+renewable,+proxiable,+dup-skey,+allow-tickets,+service,+preauth Note: the above +preauth setting will only work on service principals if you're using a recent version of MIT's software. I raised this point some time ago and I vaguely remember Greg Hudson explaining why this is so. However we currently don't want +preauth set on service principals. Just in case we have old "user" principals still without +preauth. This shouldn't be the case, We're just being cautious. So this "wrong" behaviour in older software is fine with us. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [email protected] Phone: +44 1225 386101 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
