[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin prompts for passwd



There have been some buggy versions recently that did use the ccache  
for kadmin access.  AFAIK this is fixed now, partly because some of us  
complained.  Pretty sure that 1.1 and 0.7.x don't use the ccache.

In other words, "that's not a feature, that's a bug!".  ;-)

On May 16, 2008, at 1:13 PM, Juha Jäykkä wrote:

>> Er, that's how it's supposed to work and how it has always worked.   
>> If
>
> Nope. That's not how it used to work.
>
>> you really do want to put your KDC at risk in the name of  
>> convenience,
>> use "kinit -S kadmin/admin foo/admin" to get a ticket that will  
>> enable
>
> And I definitely never did this (this is on another realm):
>
> foo@host 23:07:32 ~> kdestroy
> foo@host 23:07:32 ~> kinit foo/admin
> foo/admin@TFY.UTU.FI's Password:
> foo@host 23:07:44 ~> kadmin get bar
>            Principal: bar@REALM
> etc.
>
>> password-less kadmin (and likewise enable it for anyone who can get  
>> at
>> your ticket file --- which is why kadmin prompts).
>
> Ok. I can see the point here. But now I'm troubled: you claim it  
> always asks
> and has always asked password, but it is not what I observe. Either  
> of the
> realms must have something very strange going on. From your reply,  
> it sounds
> like the one which does not ask for passwords is behaving strangely.  
> Only the
> question "why" remains!
>
> BTW, I rather liked the single-sign-on -behaviour of Heimdal,  
> including
> kadmin, but you raised a good point and I'll need to reconsider.
>
> -Juha
>
> -- 
> 		 -----------------------------------------------
> 		| Juha Jäykkä, juolja@utu.fi			|
> 		| home: http://www.utu.fi/~juolja/		|
> 		 -----------------------------------------------