Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 69825200B64 for ; Tue, 2 Aug 2016 09:11:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6814B160A8C; Tue, 2 Aug 2016 07:11:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AD22C160A76 for ; Tue, 2 Aug 2016 09:11:21 +0200 (CEST) Received: (qmail 37901 invoked by uid 500); 2 Aug 2016 07:11:20 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 37887 invoked by uid 99); 2 Aug 2016 07:11:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Aug 2016 07:11:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id ACDE62C029E for ; Tue, 2 Aug 2016 07:11:20 +0000 (UTC) Date: Tue, 2 Aug 2016 07:11:20 +0000 (UTC) From: "Jiajia Li (JIRA)" To: dev@directory.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (DIRKRB-605) Remote Admin client init creates a TGT, which cannot be used to aquire a TGS for kadmin/admin MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 02 Aug 2016 07:11:22 -0000 [ https://issues.apache.org/jira/browse/DIRKRB-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15403512#comment-15403512 ] Jiajia Li commented on DIRKRB-605: ---------------------------------- Thanks for the reporting. Our remote admin is still under development, and is not compatible with mit kerberos, I have one question, do you use the kerby client with mit kdc in the screenshot? And it will be great if you can take some time to fix this issue. > Remote Admin client init creates a TGT, which cannot be used to aquire a TGS for kadmin/admin > --------------------------------------------------------------------------------------------- > > Key: DIRKRB-605 > URL: https://issues.apache.org/jira/browse/DIRKRB-605 > Project: Directory Kerberos > Issue Type: Bug > Reporter: Shawn Eion Smith > Attachments: command-line-kadmin.png, kerby-kadmin-tgs-request.png, kerby-kadmin-tgs-response.png, kerby-kadmin-tgt-request.png > > > It's certainly possible I'm misunderstanding, but doing wire traces show that the jaas authentication attempting to access kadmin in RemoteAdminClientTool is not retrieving a TGS for kadmin/admin, but rather a TGT. That TGT cannot be used to acquire a TGS as per policy. > Per the func spec (https://github.com/krb5/krb5/blob/50a3c3cbeab32577fba2b21deb72a64015c48ec7/doc/kadm5/api-funcspec.tex#L775) "Two Kerberos principals exist for use in communicating with the Admin > system: kadmin/admin and kadmin/changepw. Both principals > have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so > that service tickets for them can only be acquired via a > password-based (AS_REQ) request." > Please correct me if I'm misunderstanding. Thanks. -- This message was sent by Atlassian JIRA (v6.3.4#6332)