[
https://issues.apache.org/jira/browse/DIRKRB-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15403512#comment-15403512
]
Jiajia Li commented on DIRKRB-605:
----------------------------------
Thanks for the reporting. Our remote admin is still under development, and is
not compatible with mit kerberos, I have one question, do you use the kerby
client with mit kdc in the screenshot? And it will be great if you can take
some time to fix this issue.
> Remote Admin client init creates a TGT, which cannot be used to aquire a TGS
> for kadmin/admin
> ---------------------------------------------------------------------------------------------
>
> Key: DIRKRB-605
> URL: https://issues.apache.org/jira/browse/DIRKRB-605
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Shawn Eion Smith
> Attachments: command-line-kadmin.png, kerby-kadmin-tgs-request.png,
> kerby-kadmin-tgs-response.png, kerby-kadmin-tgt-request.png
>
>
> It's certainly possible I'm misunderstanding, but doing wire traces show that
> the jaas authentication attempting to access kadmin in RemoteAdminClientTool
> is not retrieving a TGS for kadmin/admin, but rather a TGT. That TGT
> cannot be used to acquire a TGS as per policy.
> Per the func spec
> (https://github.com/krb5/krb5/blob/50a3c3cbeab32577fba2b21deb72a64015c48ec7/doc/kadm5/api-funcspec.tex#L775)
> "Two Kerberos principals exist for use in communicating with the Admin
> system: kadmin/admin and kadmin/changepw. Both principals
> have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so
> that service tickets for them can only be acquired via a
> password-based (AS_REQ) request."
> Please correct me if I'm misunderstanding. Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
