Me and my friend have fixed this. Patch attached.
The case is that kadmin always tries to add/replace _instance_ part
of the credential with "/admin". So we've just ripped it of. I do not
know why such behavior was originally designed, so I'm not sure
whether its the right way to fix it.
Best,
Zaar.
2006/11/23, Love Hörnquist Åstrand <lha@kth.se>:
> No problem, I've just been very busy with IETF and lost packets to
> our dns resolve,
> please hang on, will be back soon with an answer.
>
> From what you say it seem like a bug in the kadmin/kadmind code.
>
> Love
>
>
> 23 nov 2006 kl. 12.01 skrev Hai Zaar:
>
> > Good day, Love!
> > Sorry to disturb you once again, but may you've just missed my reply
> > to mailing list.
> >
> >
> > 2006/11/20, Hai Zaar <haizaar@gmail.com>:
> >> Here is the thing:
> >> If principal has '/admin' in its name - it all works smoothly. I.e.
> >> renaming haizaar to haizaar/admin, or using root/admin did the trick.
> >> Even regular kinit works - kadmin automatically acquires kadmin/admin
> >> ticket.
> >>
> >> How do I disable this "feature" ?
> >>
> >> 2006/11/20, Love Hörnquist Åstrand <lha@kth.se>:
> >>
> >> > Sorry, I can't reproduce that.
> >> >
> >> > Love
> >> >
> >> > $ kinit -S kadmin/admin@SU.SE lha/admin@SU.SE
> >> > lha/admin@SU.SE's Password:
> >> > $ klist
> >> > Credentials cache: API:1
> >> > Principal: lha/admin@SU.SE
> >> >
> >> > Issued Expires Principal
> >> > Nov 20 09:28:03 Nov 20 10:28:03 kadmin/admin@SU.SE
> >> >
> >> > $ kadmin -p lha/admin -r SU.SE
> >> > kadmin> get lha
> >> > Principal: lha@SU.SE
> >> > Principal expires: never
> >> > ...
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> Zaar
> >>
> >
> >
> > --
> > Zaar
>
>
--
Zaar
heimdal-0.7.2-kadmin-do-not-mess-with-instance-1.patch