[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should kadmin ask for password

To: "=?UTF-8?Q?Love_H=C3=B6rnquist_=C3=85strand?=" <lha@kth.se>
Subject: Re: Should kadmin ask for password
From: "Hai Zaar" <haizaar@gmail.com>
Date: Thu, 7 Dec 2006 00:39:11 +0200
Cc: heimdal-discuss@sics.se
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=awZXlsUidyS/hC+U1wKf2lhROjwagvUOZDlf4VlPcmiDzODuzLTP5QtxRvKQbY4BmgHde4wWZNOCAQx3M+osD5jGIk6SBLCM/1yOOINxhpkKuOanvo7Uk+EhiSsihRHDT+URh8j98RIA1kske4kyVLRXbklrOV43Kz4n4TAeYvc=
In-Reply-To: <DF0F8EE9-1A23-4CDA-87A1-6E837B0E291B@kth.se>
References: <cfb54190611161000s2bd18f24j529dcb4857e68d37@mail.gmail.com> <51901B50-1569-4055-B0B0-F115FA65257E@kth.se> <cfb54190611200009o2fcd79d4ld54e0361ca02d5a6@mail.gmail.com> <1C084855-9BA6-4D9B-8A80-98795BEE599C@kth.se> <cfb54190611200148v6ffb7c8fm1b2cbf8728f209ec@mail.gmail.com> <cfb54190611230301v1ea9a8dar26ddcb7a437609b5@mail.gmail.com> <75C09B2B-F942-4053-94FF-736F9A11F7F8@kth.se> <cfb54190612060516k762c4559j477af92615f2c6c0@mail.gmail.com> <DF0F8EE9-1A23-4CDA-87A1-6E837B0E291B@kth.se>
Sender: owner-heimdal-discuss@sics.se

Good day,
Here is my scenario:1). kinit haizaar # Ask for password and get TGT2). ldapsearch -Y GSSAPI .... # Automatically getldap/ldap.example.com and perform search3). kadmin -p haizaar ext <according to ldapsearch results> # Here Iexpect kadmin to automatically get kadmin/admin and do the job.As I see it, with your patch kadmin will ask me for password in 3).,since I do not have kadmin/admin credential in cache. Am I right?On the other hand, if I do kinit -S kadmin/admin@REALM haizaar in 1),I will not get TGT and ldapsearch will fail in 2).
In other words what I'm saying is:kadmin will try to add "/admin" instance to user's principal whileconnecting to kadmind. BUT if user has kadmin/admin credential in itscache, kadmin will use user's principal name "as is". Now the onlything I'm missing is the way to obtain kadmin/admin credential usingmy TGT and not asking for password (and not destroying TGT as "kinit-S kadmin/admin@REALM haizaar" would do).
2006/12/6, Love HÃ¶rnquist Ã…strand <lha@kth.se>:> Hello,>> The behavior is what most sites expect since its very> common to split the administrative role (lha/admin@SU.SE)> from the user role (lha@SU.SE).>> But I agree that not being able to use a inital kadmin/admin> ticket that have a client that is not on the form foo/admin is broken,> so how about this patch ?>> Love>>>>>

-- Zaar

Follow-Ups:
- Re: Should kadmin ask for password
  - From: Love Hörnquist Åstrand <lha@kth.se>

References:
- Re: Should kadmin ask for password
  - From: "Hai Zaar" <haizaar@gmail.com>
- Re: Should kadmin ask for password
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Should kadmin ask for password
Next by Date: Re: Should kadmin ask for password
Prev by thread: Re: Should kadmin ask for password
Next by thread: Re: Should kadmin ask for password
Index(es):
- Date
- Thread