Nico Williams writes:
> There's really no point to the /admin thing: since the server requires
> INITIAL tickets there's no risk of use of stolen TGTs for accessing
> kadmin, and if you were to have different pre-authentication
> requirements for kadmin than for initial TGTs the protocol does all
On 1/18/2013 2:13 PM, Bob Liu wrote:
> You should look at it this way... |primary/instance@REALM
>
> |In the case of a user, it's the same as your username. For a host, the
> primary is the word |host|.
> The instance is an optional string that qualifies the primary. In the
> case of a user, the i
Jeff Blaine writes:
> Can anyone explain away the reasoning behind the decision
> to make user principals need the form:
>
> specific_part/contextual_part
>
> e.g. jennifer/admin
>
> and service principals the OPPOSITE - of the form
>
> contextual_part/specific_part
>
>
You should look at it this way... primary/instance@REALM
In the case
of a user, it's the same as your username. For a host, the primary is
the word host.
The instance is an optional string that qualifies the
primary. In the case of a user, the instance is usually null, but a
user might a
On 01/18/2013 12:37 PM, Jonathan Reams wrote:
> Earlier this week we had a problem where kadmind exceeded its file
> descriptor ulimit with roughly a thousand open file descriptors for
> /var/tmp/kadmin_0.
That's a replay cache.
By my understanding of the code, kadmind should create 16-24 handles
On Fri, Jan 18, 2013 at 11:25 AM, Jeff Blaine wrote:
> Can anyone explain away the reasoning behind the decision
> to make user principals need the form:
>
> specific_part/contextual_part
>
> e.g. jennifer/admin
>
> and service principals the OPPOSITE - of the form
>
> contextual_pa
Earlier this week we had a problem where kadmind exceeded its file
descriptor ulimit with roughly a thousand open file descriptors for
/var/tmp/kadmin_0. Parts of our identity management system maintain a
number of connections to kadmin, and we think there may be something that
is initializing a ka
Can anyone explain away the reasoning behind the decision
to make user principals need the form:
specific_part/contextual_part
e.g. jennifer/admin
and service principals the OPPOSITE - of the form
contextual_part/specific_part
e.g. host/daffodil.mit.edu
What happened? Who