[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kpasswd w/forwardable

To: heimdal-discuss@sics.se
Subject: kpasswd w/forwardable
From: David Nerenberg <david2@email.mot.com>
Date: Wed, 26 Jan 2000 13:46:51 -0600 (Central Standard Time)
Sender: owner-heimdal-discuss@sics.se


I thought I had been onto a bug and was writing that up when I
discovered the answer, now I have a question....

In the krb5.conf file, I define in the libdefaults section
"forwardable = 1" to get forwardable tickets by default.  When I do
this, kpasswd fails with an error of "kpasswd: krb5_get_init_creds:
KDC policy rejects request" after accepting my current password.  The
KDC's log shows "Ticket may not be forwardable".  

Upon investigation, I see that the kadmin/changepw principal has
"disallow-forwardable" set as an attribute.  This brings me to two
questions, first, why is this set?  Just because a ticket is
forwardable doesn't mean it was forwarded from another realm, so why
is this bad?  Second, with this setup, how could I force kpasswd to
get a non-forwardable ticket for its use?  (For that matter, how would
I even get kinit to get a non-forwardable ticket, I only see options to 
get a forwardable one - this appears to assume the default is not to
get a forwardable)

					--David

--
david2@email.mot.com                         David Nerenberg
david.nerenberg@motorola.com                 Motorola Network Engineering
                                             W-847-576-3200

Follow-Ups:
- Re: kpasswd w/forwardable
  - From: Assar Westerlund <assar@sics.se>

Prev by Date: Re: wish list for rsh
Next by Date: Re: kpasswd w/forwardable
Prev by thread: Re: wish list for rsh
Next by thread: Re: kpasswd w/forwardable
Index(es):
- Date
- Thread