Ah. Is there any way to prevent a service princ from being able to get tickets?
As in, if one of my service keytabs is compromised, can I prevent those princs from being used like a normal user princ? Chris On Mon, Jan 8, 2018 at 19:58 Russ Allbery <ea...@eyrie.org> wrote: > Chris Hecker <chec...@d6.com> writes: > > > If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I > > shouldn't be able to kinit with it, right? I'm able to get TGTs though > > with kinit and the keytab for this service, and then get service tickets > > with kvno; I need to update my KDC and see if this is still true, or > > mabye I'm misunderstanding how it works...? > > That prevents other principals from getting service tickets for that > principal using a TGT. It's intended for principals like kadmin/changepw > that want to force an AS-REQ to get a service ticket for that principal. > > It doesn't have any effect on authenticating as that principal. > > -- > Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
