directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jiajia Li (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRKRB-605) Remote Admin client init creates a TGT, which cannot be used to aquire a TGS for kadmin/admin
Date Tue, 02 Aug 2016 07:11:20 GMT

    [ https://issues.apache.org/jira/browse/DIRKRB-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15403512#comment-15403512
] 

Jiajia Li commented on DIRKRB-605:
----------------------------------

Thanks for the reporting. Our remote admin is still under development, and is not compatible
with mit kerberos, I have one question, do you use the kerby client with mit kdc in the screenshot?
And it will be great if you can take some time to fix this issue.

> Remote Admin client init creates a TGT, which cannot be used to aquire a TGS for kadmin/admin
> ---------------------------------------------------------------------------------------------
>
>                 Key: DIRKRB-605
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-605
>             Project: Directory Kerberos
>          Issue Type: Bug
>            Reporter: Shawn Eion Smith
>         Attachments: command-line-kadmin.png, kerby-kadmin-tgs-request.png, kerby-kadmin-tgs-response.png,
kerby-kadmin-tgt-request.png
>
>
> It's certainly possible I'm misunderstanding, but doing wire traces show that the jaas
authentication attempting to access kadmin in RemoteAdminClientTool is not retrieving  a TGS
for kadmin/admin, but rather a TGT.   That TGT cannot be used to acquire a TGS as per policy.
 
> Per the func spec (https://github.com/krb5/krb5/blob/50a3c3cbeab32577fba2b21deb72a64015c48ec7/doc/kadm5/api-funcspec.tex#L775)
"Two Kerberos principals exist for use in communicating with the Admin
> system: kadmin/admin and kadmin/changepw.  Both principals
> have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so
> that service tickets for them can only be acquired via a
> password-based (AS_REQ) request."
> Please correct me if I'm misunderstanding.  Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message