Shawn Eion Smith created DIRKRB-605:
---------------------------------------
Summary: Remote Admin client init creates a TGT, which cannot be
used to aquire a TGS for kadmin/admin
Key: DIRKRB-605
URL: https://issues.apache.org/jira/browse/DIRKRB-605
Project: Directory Kerberos
Issue Type: Bug
Reporter: Shawn Eion Smith
It's certainly possible I'm misunderstanding, but doing wire traces show that
the jaas authentication attempting to access kadmin in RemoteAdminClientTool is
not retrieving a TGS for kadmin/admin, but rather a TGT. That TGT cannot be
used to acquire a TGS as per policy.
Per the func spec
(https://github.com/krb5/krb5/blob/50a3c3cbeab32577fba2b21deb72a64015c48ec7/doc/kadm5/api-funcspec.tex#L775)
"Two Kerberos principals exist for use in communicating with the Admin
system: kadmin/admin and kadmin/changepw. Both principals
have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so
that service tickets for them can only be acquired via a
password-based (AS_REQ) request."
Please correct me if I'm misunderstanding. Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
