From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Nov 13 11:50:32 2018 Return-Path: Received: from PCH.mit.edu (PCH.MIT.EDU [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id 49AA246E38; Tue, 13 Nov 2018 11:50:32 -0500 (EST) Received: from PCH.MIT.EDU (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.14.7/8.12.8) with ESMTP id wADGoVBF003420; Tue, 13 Nov 2018 11:50:31 -0500 Received: from mailhub-dmz-3.mit.edu (MAILHUB-DMZ-3.MIT.EDU [18.9.21.42]) by PCH.mit.edu (8.14.7/8.12.8) with ESMTP id wA9GMmP4018337 for ; Fri, 9 Nov 2018 11:22:48 -0500 Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU [18.7.68.35]) by mailhub-dmz-3.mit.edu (8.14.7/8.9.2) with ESMTP id wA9GLvs6006892 for ; Fri, 9 Nov 2018 11:22:47 -0500 X-Auditid: 12074423-3bfff7000000634e-3d-5be5b454f1dc Received: from loire.is.ed.ac.uk (loire.is.ed.ac.uk [129.215.16.10]) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id DF.4D.25422.454B5EB5; Fri, 9 Nov 2018 11:22:46 -0500 (EST) Received: from lmtp1.ucs.ed.ac.uk (lmtp1.ucs.ed.ac.uk [129.215.149.64]) by loire.is.ed.ac.uk (8.14.7/8.14.6) with ESMTP id wA9GMhQI016111 for ; Fri, 9 Nov 2018 16:22:43 GMT Received: from openvpn-124-137.inf.ed.ac.uk (openvpn-124-137.inf.ed.ac.uk [129.215.124.137]) (authenticated user=toby mech=PLAIN bits=0) by lmtp1.ucs.ed.ac.uk (8.13.8/8.13.7) with ESMTP id wA9GMhCm003200 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Fri, 9 Nov 2018 16:22:43 GMT From: Toby Blake Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: ksu doesn't allow acquisition of non-forwardable tickets Message-ID: <662C7C9A-436D-4111-AD4A-763A61FE838F@inf.ed.ac.uk> Date: Fri, 9 Nov 2018 16:22:42 +0000 To: krb5-bugs@mit.edu X-Mailer: Apple Mail (2.3445.9.1) X-Scanned-BY: MIMEDefang 2.84 on 129.215.16.10 X-Scanned-BY: MIMEDefang 2.52 on 129.215.149.64 X-Edinburgh-Scanned: at loire.is.ed.ac.uk with MIMEDefang 2.84, Sophie, Sophos Anti-Virus, Clam AntiVirus X-Spam-Status: hits=0.972 required=5 tests=SPF_SOFTFAIL version=3.4.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrMKsWRWlGSWpSXmKPExsXSeF2ASzdsy9Nogy03pC0aHh5nd2D0aDpz lDmAMYrLJiU1J7MstUjfLoErY+aqj+wFO1gqbmw8ytrAeJK5i5GTQ0LARGLR8f+sILaQwFlG iYn7aroYuYDsw4wSZy88Y4ZwzjJJnLk3B6yKTUBF4vSqHSxdjBwczAI6EpMXMoKEmQXkJba/ nQM2lFfAWOLqnvdgtrCAo8T9GRvYIOL2Eg0rusFsFqAxr2/9YgexRQREJV7+PcYCcZCiRP+a Q2wQtp7E/9WHWSFsfYnmpd+h4nkSl7t2Q9W7SvzaO41pAqPgLISLZiG5aBaSixYwMq9ilE3J rdLNTczMKU5N1i1OTszLSy3SNdPLzSzRS00p3cQIDFQhdhflHYwv+7wPMQpwMCrx8P5Y/jRa iDWxrLgy9xCjJAeTkihveD9QiC8pP6UyI7E4I76oNCe1+BCjBAezkgjvnklAOd6UxMqq1KJ8 mJQ0B4uSOO8fkcfRQgLpiSWp2ampBalFMFkmDvZDjDIcHEoSvH82AXULFqWmp1akZeaUIKvh BNnAA7RBbDPIhuKCxNzizHSI/ClGY45JP/9PZ+bYdqZzBrMQS15+XqqUOO9ekHECIKUZpXlw 02Bp5xKjrJQwLyMDA4MQD9A5wFBAlX/FKA4MAWFeM5CFPJl5JXD7XgGdwgR0ivXXxyCnlCQi pKQaGH30o9bP15t698yFvs/JD+cp72lYNUF8+bMZ9SttCxLtzs/O+f26UUPtDCdHRY9AwDpe kxldtuv22tsWBOwRed3aeZ4t9r2QbnDP5/Psyw87K3ErzPpa+VQ+4/Uh6a8d7Ve5Qx937WJ+ 1LLebv6JOyJ1x9OD1DP63Ge9MQrVNo2JSAzOEXukqMRSnJFoqMVcVJwIAO4P7xk2AwAA X-Mailman-Approved-At: Tue, 13 Nov 2018 11:50:31 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: us-ascii Content-Length: 548 Hi, If a principal has the DISALLOW_FORWARDABLE attribute in the KDC, but /etc/krb5.conf has forwardable = true, then it is impossible to obtain a ticket using ksu ("KDC policy rejects request while getting initial credentials"). Would you be interested in a patch to implement a -F option (in the same way as kinit) to explicitly request a non-forwardable ticket? Cheers Toby Blake School of Informatics University of Edinburgh -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.