[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
kpasswd w/forwardable
I thought I had been onto a bug and was writing that up when I
discovered the answer, now I have a question....
In the krb5.conf file, I define in the libdefaults section
"forwardable = 1" to get forwardable tickets by default. When I do
this, kpasswd fails with an error of "kpasswd: krb5_get_init_creds:
KDC policy rejects request" after accepting my current password. The
KDC's log shows "Ticket may not be forwardable".
Upon investigation, I see that the kadmin/changepw principal has
"disallow-forwardable" set as an attribute. This brings me to two
questions, first, why is this set? Just because a ticket is
forwardable doesn't mean it was forwarded from another realm, so why
is this bad? Second, with this setup, how could I force kpasswd to
get a non-forwardable ticket for its use? (For that matter, how would
I even get kinit to get a non-forwardable ticket, I only see options to
get a forwardable one - this appears to assume the default is not to
get a forwardable)
--David
--
david2@email.mot.com David Nerenberg
david.nerenberg@motorola.com Motorola Network Engineering
W-847-576-3200