kadmin can't use TGT based?

Discussion:

Mark Roach

2005-01-03 00:19:47 UTC

Hi, I'm fairly new to Kerberos. I want to verify that I understand this
item correctly: Is it true that you can not use a TGT based ticket to
connect to the kadmin server? (And just to be extra clear) This means that
any application that uses the kadm5clnt library must prompt for a password
and use kadm5_init_with_password in order to connect successfully, right?

If that is the case, what is the purpose of kadm5_init_with_creds?

Thanks,

Mark Roach

Chaskiel M Grundman

2005-01-03 22:08:42 UTC

Permalink

--On Monday, January 03, 2005 00:19:47 +0000 Mark Roach

Post by Mark Roach
Hi, I'm fairly new to Kerberos. I want to verify that I understand this
item correctly: Is it true that you can not use a TGT based ticket to
connect to the kadmin server?

If your realm is set up properly, then yes. It is proper practice to set
DISALLOW_TGT_BASED on the kadmin/admin, kadmin/changepw, and
changepw/kerberos service principals. that is however a policy decision,
not anything that is fixed in the protocol.

Post by Mark Roach
This means that
any application that uses the kadm5clnt library must prompt for a password
and use kadm5_init_with_password in order to connect successfully, right?

in most circumstances, yes, applications need to be able to prompt for a
password.

Post by Mark Roach
If that is the case, what is the purpose of kadm5_init_with_creds?

it is possible to obtain and store credentials for kadmin/admin in a ccache
(instead of storing krbtgt credentials) with kinit (see -S) or a custom
program if you wanted to invoke a kadm5client-using program more than once
in a short time period and did not want to re-enter the password.

Sam Hartman

2005-01-04 20:36:23 UTC

Permalink

Chaskiel> --On Monday, January 03, 2005 00:19:47 +0000 Mark Roach

Post by Mark Roach
Hi, I'm fairly new to Kerberos. I want to verify that I
understand this item correctly: Is it true that you can not use
a TGT based ticket to connect to the kadmin server?

Chaskiel> If your realm is set up properly, then yes. It is proper
Chaskiel> practice to set DISALLOW_TGT_BASED on the kadmin/admin,
Chaskiel> kadmin/changepw, and changepw/kerberos service
Chaskiel> principals. that is however a policy decision, not
Chaskiel> anything that is fixed in the protocol.

Well, I think the MIT kadmind actually enforces this itself even if
you don't set the KDC policy.

--Sam

Mark Roach

2005-01-05 00:01:02 UTC

Permalink

Post by Sam Hartman
Chaskiel> If your realm is set up properly, then yes. It is proper
Chaskiel> practice to set DISALLOW_TGT_BASED on the kadmin/admin,
Chaskiel> kadmin/changepw, and changepw/kerberos service
Chaskiel> principals. that is however a policy decision, not
Chaskiel> anything that is fixed in the protocol.
Well, I think the MIT kadmind actually enforces this itself even if
you don't set the KDC policy.

I think this must be true (I haven't yet checked the source) as some of my
user/admin principals do not have that flag set, but it still shows in the
logs.

Thank you both for your responses.

-Mark