We have two MIT krb5 realms: LIVE and TEST. I would like to add principals from LIVE into TEST's kadm5.acl file so they can manage the TEST realm's principals, authenticating from keytabs.
>From what I can glean in the archives this isn't possible due to to kadmin/admin@TEST being denied to TGS requests, which includes cross realm trust links. I tried removing the DISALLOW_TGT_BASED flag from kadmin/admin@TEST with no effect. The kadmin command on a host in the LIVE realm obtained a kadmin/admin@LIVE ticket and presented that to the TEST kadmin server which of course couldn't verify it. If this behaviour is impossible, I will have to ensure all my management hosts default to the same realm that they are managing. Or is there something I am missing? Cheers, Kenny. -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
