Hi, Any chance this has changed in the last ten years? I notice that in the install guide[1], there is an example kadm5.acl with users from two different realms. I tried this, but kadmin keeps trying to contact the user's realm's kdc to get a service key for kadmin/admin instead of contacting the specified realm's kdc. (In the example below, kadmin contacts ADTEST for the service principal kadmin/admin, where I think it should be contacting SCIENCE. 192.168.56.101 is SCIENCE's admin server, but it is not being contacted.)
> kadmin -r SCIENCE.UNSW.EDU.AU -p [email protected] -s > 192.168.56.101 Authenticating as principal [email protected] with password. Password for [email protected]: Password for [email protected]: kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface Thanks, Jayen [1] http://web.mit.edu/kerberos/krb5-latest/krb5-1.10.2/doc/krb5-install.html#Add-Administrators-to-the-Acl-File On Wed, Mar 13, 2002 at 6:25 AM, Ken Hornstein <[email protected]> wrote: > > >Kerberos FAQ states its possible (althoug does not recommend) > >we can refer foreign principals giving them rights in kadm5.acl > >file if we trust foreign KDC. > > Are you sure it says that? As the author of the Kerberos FAQ, I can't > find that (it does mention about ACLs, but doesn't specifically mention > kadm5.acl). > > >Since we have a multi-realm KDC and in real life the same > >people will manage those realms, I'd like to give permissions > >to the same principal and if possible I wouldn't like > >create user/admin@REALM1, user/admin@REALM2. I just want to > >insert a entry for user/admin@REALM1 in kadm5.acl file > >for each domain. > > Unfortunately ... because kadmin/admin is set to only allow AS_REQ based > requests (which you don't want to change, trust me) and there's no way > to do cross-realm without a TGS-based request, then you're stuck. You can't > do what you want. > > --Ken > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
