On Jun 18, 2008, at 16:33, Jeffrey Altman wrote: > I believe that the meaning of allow_tix should be altered such that > it only applies to the client > in a TGS or AS request. This would permit -allow_tix to be applied > to a service principal > and ensure that no client ticket requests can be satisfied for that > service principal while at > the same time permitting other principals to obtain service tickets. > Organizations that wish to disable the issuance of service tickets > for the service principal > would apply -allow_svr to the principal in addition to -allow_tix.
I think it should be pointed out that such a change would allow tickets to start being issued where currently they would not when the KDC software gets updated -- even if the latter really was the intent of the realm administrator. Because of that, we might instead want to create a new flag with the semantics Jeff wants, and leave the existing flag with its current (suboptimal) behavior. Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos