I seem to like replying to myself late at night while trying to figure this stuff out...
While I'm in the KDC code, I notice this related check in validate_tgs_request: /* Server must be allowed to be a service */ if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) { *status = "SERVER NOT ALLOWED"; return(KDC_ERR_MUST_USE_USER2USER); } Do I want to set -allow_svr on all my clients, since I know they'll only ever be clients in a client<->server relationship, or u2u with another client? Is there any reason to or not to set the flag? Hmm, wait, if I set -allow_svr on b...@blah.com, then fails even on a KRB5_GC_USER_USER krb5_get_credentials where b is the creds->server... Hmm^2, this code is slightly different between 1.9.1 and 1.6.1, or at least the error return is different, so maybe this was fixed to work like I think it should after 1.6.1. I need to build my own kdc on CentOS... Chris On 2011/07/24 02:00, Chris Hecker wrote: > > More details from looking at the kdc code...it looks like > validate_tgs_request in kdc_util.c only checks the server's attributes > for KRB5_KDB_DISALLOW_ALL_TIX, while validate_as_request checks both > client and server. It seems like it'd be easy to add the client check to > validate_tgs_request, but I'd also have to get the client db entry in > do_tgs_req. > > I must be missing something, though, since it seems like this would be > something that's already supported... > > Chris > > > On 2011/07/24 01:13, Chris Hecker wrote: >> >> I want to be able to disable client accounts when necessary, even if >> they currently have a live krbtgt. I understand I can't revoke live >> tickets, so any existing live sessions they have will still work until >> they expire, and I'm fine with that, but I don't want them to be able to >> get any more tickets to new services and users. >> >> I thought setting -allow_tix and -allow_tgs_req would do it, but I can >> still get new valid tickets for services from an account with those >> flags set. >> >> The krb5kdc.log knows who's asking for the ticket, and it prints out: >> >> Jul 24 02:45:55 blah.com krb5kdc[17432](info): TGS_REQ (4 etypes {18 17 >> 16 23}) 1.1.1.1: ISSUE: authtime 1311493077, etypes {rep=18 tkt=18 >> ses=18}, a...@blah.com for b...@blah.com >> >> even though a...@blah.com has: >> >> Attributes: DISALLOW_TGT_BASED DISALLOW_ALL_TIX REQUIRES_PRE_AUTH >> >> There must be some way to do this? I totally get the aspect of not being >> able to revoke live tickets and sessions, and those having to expire, >> but getting new tickets seems like something that should be disable-able? >> >> The -allow_tgs_req entry on man kadmin seems like it would be what I >> want, since the log above says it's a TGS_REQ, but the entry says, "This >> option is useless for most things." so I'm obviously misunderstanding >> what it does. Yet -allow_tix only seems to prevent tickets from being >> issued _FOR_ the princ with it set, so b...@blah.com above, which I don't >> want to disable, since it's a service others will be using. I just want >> a...@blah.com to stop working. >> >> As a bonus, I'd like services to be able to check if a...@blah.com has an >> enabled account, and -allow_tix seems to work for that, since if the >> service tries to get a ticket for a...@blah.com it fails. >> >> What am I missing? >> >> Thanks, >> Chris >> >> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos