directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn Eion Smith (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRKRB-605) Remote Admin client init creates a TGT, which cannot be used to aquire a TGS for kadmin/admin
Date Fri, 29 Jul 2016 20:15:20 GMT
Shawn Eion Smith created DIRKRB-605:
---------------------------------------

             Summary: Remote Admin client init creates a TGT, which cannot be used to aquire
a TGS for kadmin/admin
                 Key: DIRKRB-605
                 URL: https://issues.apache.org/jira/browse/DIRKRB-605
             Project: Directory Kerberos
          Issue Type: Bug
            Reporter: Shawn Eion Smith


It's certainly possible I'm misunderstanding, but doing wire traces show that the jaas authentication
attempting to access kadmin in RemoteAdminClientTool is not retrieving  a TGS for kadmin/admin,
but rather a TGT.   That TGT cannot be used to acquire a TGS as per policy.  

Per the func spec (https://github.com/krb5/krb5/blob/50a3c3cbeab32577fba2b21deb72a64015c48ec7/doc/kadm5/api-funcspec.tex#L775)
"Two Kerberos principals exist for use in communicating with the Admin
system: kadmin/admin and kadmin/changepw.  Both principals
have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so
that service tickets for them can only be acquired via a
password-based (AS_REQ) request."

Please correct me if I'm misunderstanding.  Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message