[jira] [Updated] (DIRKRB-605) Remote Admin client init creates a TGT, which cannot be used to aquire a TGS for kadmin/admin

Fri, 29 Jul 2016 13:23:29 -0700 

     [ 
https://issues.apache.org/jira/browse/DIRKRB-605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shawn Eion Smith updated DIRKRB-605:
------------------------------------
    Attachment: kerby-kadmin-tgt-request.png
                kerby-kadmin-tgs-response.png
                kerby-kadmin-tgs-request.png
                command-line-kadmin.png

> Remote Admin client init creates a TGT, which cannot be used to aquire a TGS 
> for kadmin/admin
> ---------------------------------------------------------------------------------------------
>
>                 Key: DIRKRB-605
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-605
>             Project: Directory Kerberos
>          Issue Type: Bug
>            Reporter: Shawn Eion Smith
>         Attachments: command-line-kadmin.png, kerby-kadmin-tgs-request.png, 
> kerby-kadmin-tgs-response.png, kerby-kadmin-tgt-request.png
>
>
> It's certainly possible I'm misunderstanding, but doing wire traces show that 
> the jaas authentication attempting to access kadmin in RemoteAdminClientTool 
> is not retrieving  a TGS for kadmin/admin, but rather a TGT.   That TGT 
> cannot be used to acquire a TGS as per policy.  
> Per the func spec 
> (https://github.com/krb5/krb5/blob/50a3c3cbeab32577fba2b21deb72a64015c48ec7/doc/kadm5/api-funcspec.tex#L775)
>  "Two Kerberos principals exist for use in communicating with the Admin
> system: kadmin/admin and kadmin/changepw.  Both principals
> have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so
> that service tickets for them can only be acquired via a
> password-based (AS_REQ) request."
> Please correct me if I'm misunderstanding.  Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to