Chris Hecker <[email protected]> writes: > If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I > shouldn't be able to kinit with it, right? I'm able to get TGTs though > with kinit and the keytab for this service, and then get service tickets > with kvno; I need to update my KDC and see if this is still true, or > mabye I'm misunderstanding how it works...?
That prevents other principals from getting service tickets for that principal using a TGT. It's intended for principals like kadmin/changepw that want to force an AS-REQ to get a service ticket for that principal. It doesn't have any effect on authenticating as that principal. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
