Hi Ben and thanks for your help. On Sonntag, 8. Januar 2017 12:33:26 CET Benjamin Kaduk wrote: > One thing to try would be separating getting tickets and authenticating > to kadmin, aka > > kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r5m -l5m user/admin > kadmin -c FILE:/tmp/krb5cc_admin -p user/admin
OK, getting the Service principal with only my existing princ does not excatly work; this returns "kinit: Invalid argument while getting initial credentials" If i change it to match the whole preauth stuff it works: root@ldap:~# kdestroy -A root@ldap:~# kinit -n root@ldap:~# kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r 5m -l 5m -T FILE:/tmp/krb5cc_0_iC5PjpBw3M fe/ad...@w7k.de Enter OTP Token Value: root@ldap:~# kadmin -c FILE:/tmp/krb5cc_admin Authenticating as principal fe/ad...@w7k.de with existing credentials. kadmin: list_principals HTTP/.......... HTTP/... > That would make it more clear if it is just a failure in the kadmin client > logic. To me this seems to be the case. > -Ben That does acually already work for me since i already have a little wrapper to obtain these admin tickets, so that my users get two prompts for Password and Yubikey. I can just add the kadmin funcionality there. Regards Felix ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
