On 05/02/2014 06:40, Greg Hudson wrote:
On 02/04/2014 11:39 PM, Damien Touraine wrote:
I am looking for a method to filter ticket granting.
For instance, I have two NFS servers (nfs/server1@REALM and
nfs/server2@REALM) and one computer client (nfs/client@REALM).
I want kerberos to grant nfs/client@REALM for nfs/server1@REALM, but
forbid nfs/client@REALM for nfs/server2@REALM.
Is it possible ?
The traditional Kerberos viewpoint is that access control takes places
on the application server, not the KDC, so it is the responsibility of
nfs/server2 to decide what privileges, if any, to grant to nfs/client.
There have always been exceptions (such as the unwillingness of the KDC
to grant TGS requests for the kadmin service by default), but in general
that's been the party line. Because of that, there aren't very many
administrator-visible policy facilities in the MIT krb5 KDC. I believe
there isn't any way to do what you want without editing the KDC source
code or creating a new KDB module.
We have been considering adding a ticket policy plugin interface in a
future release, and may do so in the future, but we don't currently have
a timeline for it.
Hi Greg,
Thank you for your answer.
I'm not completely dummy in C developpement and the kdc source code
seems clean. Do you think I can try to investigate the development of
such ticket policy plugin interface ? Although I don't guarantee that I
will manage to produce something. Do you have specifications on such
behaviour ?
Regards,
Damien
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
