I want to be able to disable client accounts when necessary, even if they currently have a live krbtgt. I understand I can't revoke live tickets, so any existing live sessions they have will still work until they expire, and I'm fine with that, but I don't want them to be able to get any more tickets to new services and users.
I thought setting -allow_tix and -allow_tgs_req would do it, but I can still get new valid tickets for services from an account with those flags set. The krb5kdc.log knows who's asking for the ticket, and it prints out: Jul 24 02:45:55 blah.com krb5kdc[17432](info): TGS_REQ (4 etypes {18 17 16 23}) 1.1.1.1: ISSUE: authtime 1311493077, etypes {rep=18 tkt=18 ses=18}, a...@blah.com for b...@blah.com even though a...@blah.com has: Attributes: DISALLOW_TGT_BASED DISALLOW_ALL_TIX REQUIRES_PRE_AUTH There must be some way to do this? I totally get the aspect of not being able to revoke live tickets and sessions, and those having to expire, but getting new tickets seems like something that should be disable-able? The -allow_tgs_req entry on man kadmin seems like it would be what I want, since the log above says it's a TGS_REQ, but the entry says, "This option is useless for most things." so I'm obviously misunderstanding what it does. Yet -allow_tix only seems to prevent tickets from being issued _FOR_ the princ with it set, so b...@blah.com above, which I don't want to disable, since it's a service others will be using. I just want a...@blah.com to stop working. As a bonus, I'd like services to be able to check if a...@blah.com has an enabled account, and -allow_tix seems to work for that, since if the service tries to get a ticket for a...@blah.com it fails. What am I missing? Thanks, Chris ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos