On 02/04/2014 11:39 PM, Damien Touraine wrote: > I am looking for a method to filter ticket granting. > For instance, I have two NFS servers (nfs/server1@REALM and > nfs/server2@REALM) and one computer client (nfs/client@REALM). > I want kerberos to grant nfs/client@REALM for nfs/server1@REALM, but > forbid nfs/client@REALM for nfs/server2@REALM. > Is it possible ?
The traditional Kerberos viewpoint is that access control takes places on the application server, not the KDC, so it is the responsibility of nfs/server2 to decide what privileges, if any, to grant to nfs/client. There have always been exceptions (such as the unwillingness of the KDC to grant TGS requests for the kadmin service by default), but in general that's been the party line. Because of that, there aren't very many administrator-visible policy facilities in the MIT krb5 KDC. I believe there isn't any way to do what you want without editing the KDC source code or creating a new KDB module. We have been considering adding a ticket policy plugin interface in a future release, and may do so in the future, but we don't currently have a timeline for it. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
