(keytabs).
The remote kadmin client uses Kerberos to authenticate to kadmind
-using the service principal ``kadmin/ADMINHOST`` (where *ADMINHOST* is
-the fully-qualified hostname of the admin server) or ``kadmin/admin``.
-If the credentials cache contains a ticket for one of these
+using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST``
+(where *ADMINHOST* is the fully-qualified hostname of the admin
+server). If the credentials cache contains a ticket for one of these
principals, and the **-c** credentials_cache option is specified, that
ticket is used to authenticate to kadmind. Otherwise, the **-p** and
**-k** options are used to specify the client Kerberos principal name
fully anonymous operation.
**-c** *credentials_cache*
- Use *credentials_cache* as the credentials cache. The
- cache should contain a service ticket for the ``kadmin/ADMINHOST``
- (where *ADMINHOST* is the fully-qualified hostname of the admin
- server) or ``kadmin/admin`` service; it can be acquired with the
+ Use *credentials_cache* as the credentials cache. The cache
+ should contain a service ticket for the ``kadmin/admin`` or
+ ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified
+ hostname of the admin server) service; it can be acquired with the
:ref:`kinit(1)` program. If this option is not specified, kadmin
requests a new service ticket from the KDC, and stores it in its
own temporary ccache.
up enough of the database to be able to use the remote version.
kadmin can authenticate to the admin server using the service
-principal ``kadmin/HOST`` (where *HOST* is the hostname of the admin
-server) or ``kadmin/admin``. If the credentials cache contains a
+principal ``kadmin/admin`` or ``kadmin/HOST`` (where *HOST* is the
+hostname of the admin server). If the credentials cache contains a
ticket for either service principal and the **-c** ccache option is
specified, that ticket is used to authenticate to KADM5. Otherwise,
the **-p** and **-k** options are used to specify the client Kerberos
``kiprop/hostname`` (where *hostname* is the lowercase,
fully-qualified, canonical name for the host) registered in the
Kerberos database, and have keys for that principal stored in the
-default keytab file (|keytab|). In release 1.13, the
-``kiprop/hostname`` principal is created automatically for the master
-KDC, but it must still be created for replica KDCs.
+default keytab file (|keytab|). The ``kiprop/hostname`` principal may
+have been created automatically for the master KDC, but it must always
+be created for replica KDCs.
On the master KDC side, the ``kiprop/hostname`` principal must be
listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the
{
kadm5_ret_t code;
krb5_ccache ccache = NULL;
- char svcname[BUFSIZ];
+ char *svcname, svcbuf[BUFSIZ];
*server_out = NULL;
- /* NULL svcname means use host-based. */
- if (svcname_in == NULL) {
- code = kadm5_get_admin_service_name(handle->context,
- handle->params.realm,
- svcname, sizeof(svcname));
- if (code)
- goto error;
- } else {
- strncpy(svcname, svcname_in, sizeof(svcname));
- svcname[sizeof(svcname)-1] = '\0';
- }
-
/*
* Acquire a service ticket for svcname@realm for client, using password
* pass (which could be NULL), and create a ccache to store them in. If
}
handle->lhandle->cache_name = handle->cache_name;
+ svcname = (svcname_in != NULL) ? svcname_in : KADM5_ADMIN_SERVICE;
code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm,
server_out);
if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
|| code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
- /* Retry with old host-independent service principal. */
- code = gic_iter(handle, init_type, ccache, client, pass,
- KADM5_ADMIN_SERVICE, realm, server_out);
+ /* Retry with host-based service principal. */
+ code = kadm5_get_admin_service_name(handle->context,
+ handle->params.realm,
+ svcbuf, sizeof(svcbuf));
+ if (code)
+ goto error;
+ code = gic_iter(handle, init_type, ccache, client, pass, svcbuf, realm,
+ server_out);
}
/* Improved error messages */
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
'none'], expected_code=1, expected_msg=msg)
+# Test authentication to kadmin/hostname.
+mark('authentication to kadmin/hostname')
+kadmin_hostname = 'kadmin/' + hostname
+realm.run([kadminl, 'delprinc', 'kadmin/admin'])
+msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
+ 'Setting initial creds service to kadmin/admin',
+ '/Server not found in Kerberos database',
+ 'Getting initial credentials for user/admin@KRBTEST.COM',
+ 'Setting initial creds service to ' + kadmin_hostname,
+ 'Decrypted AS reply')
+realm.run([kadmin, '-p', 'user/admin', 'listprincs'], expected_code=1,
+ expected_msg="Operation requires ``list'' privilege",
+ input=password('user/admin'), expected_trace=msgs)
+
# Test operations disallowed at the libkadm5 layer.
realm.run([kadminl, 'delprinc', 'K/M'],
expected_code=1, expected_msg='Cannot change protected principal')
projects / thirdparty / krb5.git / commitdiff
