On Thu, 3 Feb 2005, Tom Yu wrote: > From: Tom Yu <[EMAIL PROTECTED]> > To: Dennis Davis <[EMAIL PROTECTED]> > Cc: Mike Dopheide <[EMAIL PROTECTED]>, [email protected] > Date: Thu, 03 Feb 2005 13:15:54 -0500 > Subject: Re: KADMIN error
... > Ok, that is very useful information to have. The host-based kadmin > principal name was a 1.4 change for SEAM compatibility. It should > fall back to kadmin/admin but does not appear to at the moment. I'll > investigate further. Now I know what's happening, I quite like use of a host-based kadmin principal. Apart from the SEAM compatability, it seems a useful security measure. It would help prevent obvious blunders like running a kadmin daemon on slave server. It just wouldn't be able to do anything if there was no fallback to kadmin/admin. > Incidentally, one workaround for now is to use the '-O' flag to the > kadmin client. Thanks. I spotted this last night when I started looking at the code for the kadmin client. The other obvious one is just to add the kadmin/[EMAIL PROTECTED] principal to the database. As a kerberos administrator I can certainly do that! I haven't checked, but I presume the kdb5_util command will now add it the host-based kadmin principal when creating a kerberos database. Our current database was derived some years ago from a kerberos4 database. So it's a long time since I had to start from scratch. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
