Chris Hecker writes:
> Right, I will disable the princ when I find out obviously, I just want
> the person to not be able to use it as a user princ to get tickets to
> other services in the meantime. Does that make sense or am I missing
> something?
It makes sense -- I just don't think it's som
Hmm, yeah, I can't get tickets to a service with -allow_tix on it. I'll
have to look into why if that's supposed to work, I made a couple
modifications to my KDC in this area a while back.
Chris
On Mon, Jan 8, 2018 at 20:24 Chris Hecker wrote:
>
> Ah, I assumed that was symmetric for some rea
Right, I will disable the princ when I find out obviously, I just want the
person to not be able to use it as a user princ to get tickets to other
services in the meantime. Does that make sense or am I missing something?
Chris
On Mon, Jan 8, 2018 at 20:28 Russ Allbery wrote:
> Chris Hecker
Chris Hecker writes:
> Ah, I assumed that was symmetric for some reason. I obviously need to
> be able to get tickets for these services. Not sure why I thought that.
> I'll check it out, thanks!
It is symmetric, yeah, so it has the problem that you're assuming it has.
I don't think there's a
Ah, I assumed that was symmetric for some reason. I obviously need to be
able to get tickets for these services. Not sure why I thought that. I'll
check it out, thanks!
Chris
On Mon, Jan 8, 2018 at 20:15 Russ Allbery wrote:
> Chris Hecker writes:
>
> > Ah. Is there any way to prevent a se
Chris Hecker writes:
> Ah. Is there any way to prevent a service princ from being able to get
> tickets?
> As in, if one of my service keytabs is compromised, can I prevent those
> princs from being used like a normal user princ?
I think you want -allow_tix.
--
Russ Allbery (ea...@eyrie.org)
> > If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I
> > shouldn't be able to kinit with it, right? I'm able to get TGTs though
> > with kinit and the keytab for this service, and then get service tickets
> > with kvno; I need to update
Chris Hecker writes:
> If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I
> shouldn't be able to kinit with it, right? I'm able to get TGTs though
> with kinit and the keytab for this service, and then get service tickets
> with kvno; I need to update
If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I
shouldn't be able to kinit with it, right? I'm able to get TGTs though
with kinit and the keytab for this service, and then get service tickets
with kvno; I need to update my KDC and see if this is still true,
