Subject: | kadmin should force non-forwardable tickets |
We make forwardable tickets the default in the [libdefaults] section of
our krb5.conf file, but we disable forwardable tickets for privileged
principals (*/root, */admin). Authenticating to kadmin with a password
as a privileged account therefore fails on systems with our default
krb5.conf file.
In kadm5_gic_iter() when authenticating with a password, the client
library sets up krb5_get_init_creds_opt structure but doesn't set any
parameters in it. Since the acquired credentials are going into a
memory cache specific to that client invocation, forwardable tickets are
pointless. I think the kadmin client library should therefore force the
forwardable option (and probably the proxiable option and renewable
time) to false.
our krb5.conf file, but we disable forwardable tickets for privileged
principals (*/root, */admin). Authenticating to kadmin with a password
as a privileged account therefore fails on systems with our default
krb5.conf file.
In kadm5_gic_iter() when authenticating with a password, the client
library sets up krb5_get_init_creds_opt structure but doesn't set any
parameters in it. Since the acquired credentials are going into a
memory cache specific to that client invocation, forwardable tickets are
pointless. I think the kadmin client library should therefore force the
forwardable option (and probably the proxiable option and renewable
time) to false.