[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kpasswd w/forwardable

I thought I had been onto a bug and was writing that up when I
discovered the answer, now I have a question....

In the krb5.conf file, I define in the libdefaults section
"forwardable = 1" to get forwardable tickets by default.  When I do
this, kpasswd fails with an error of "kpasswd: krb5_get_init_creds:
KDC policy rejects request" after accepting my current password.  The
KDC's log shows "Ticket may not be forwardable".  

Upon investigation, I see that the kadmin/changepw principal has
"disallow-forwardable" set as an attribute.  This brings me to two
questions, first, why is this set?  Just because a ticket is
forwardable doesn't mean it was forwarded from another realm, so why
is this bad?  Second, with this setup, how could I force kpasswd to
get a non-forwardable ticket for its use?  (For that matter, how would
I even get kinit to get a non-forwardable ticket, I only see options to 
get a forwardable one - this appears to assume the default is not to
get a forwardable)


david2@email.mot.com                         David Nerenberg
david.nerenberg@motorola.com                 Motorola Network Engineering