On 01/09/2017 09:35 AM, Felix Weissbeck wrote: > That does acually already work for me since i already have a little wrapper > to > obtain these admin tickets, so that my users get two prompts for Password and > Yubikey. I can just add the kadmin funcionality there.
I'm glad you found a workaround. I think I see two issues here: 1. kadmin has no equivalent of the kinit -T option. 2. Users should never see an "Invalid argument" error message. Unfortunately, I can't reproduce this; in similar circumstances, I get a "Generic preauthentication failure" message as I would expect. (That error message could probably be improved, but it's at least better than an EINVAL.) Can you run one of the failing cases with KRB5_TRACE=/dev/stdout and send me the output? ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos