Chris Hecker <chec...@d6.com> writes: > If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I > shouldn't be able to kinit with it, right? I'm able to get TGTs though > with kinit and the keytab for this service, and then get service tickets > with kvno; I need to update my KDC and see if this is still true, or > mabye I'm misunderstanding how it works...?
That prevents other principals from getting service tickets for that principal using a TGT. It's intended for principals like kadmin/changepw that want to force an AS-REQ to get a service ticket for that principal. It doesn't have any effect on authenticating as that principal. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
