[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should kadmin ask for password

Good day,
Here is my scenario:1). kinit haizaar # Ask for password and get TGT2). ldapsearch -Y GSSAPI .... # Automatically getldap/ldap.example.com and perform search3). kadmin -p haizaar ext <according to ldapsearch results> # Here Iexpect kadmin to automatically get kadmin/admin and do the job.As I see it, with your patch kadmin will ask me for password in 3).,since I do not have kadmin/admin credential in cache. Am I right?On the other hand, if I do kinit -S kadmin/admin@REALM haizaar in 1),I will not get TGT and ldapsearch will fail in 2).
In other words what I'm saying is:kadmin will try to add "/admin" instance to user's principal whileconnecting to kadmind. BUT if user has kadmin/admin credential in itscache, kadmin will use user's principal name "as is". Now the onlything I'm missing is the way to obtain kadmin/admin credential usingmy TGT and not asking for password (and not destroying TGT as "kinit-S kadmin/admin@REALM haizaar" would do).
2006/12/6, Love Hörnquist Åstrand <lha@kth.se>:> Hello,>> The behavior is what most sites expect since its very> common to split the administrative role (lha/admin@SU.SE)> from the user role (lha@SU.SE).>> But I agree that not being able to use a inital kadmin/admin> ticket that have a client that is not on the form foo/admin is broken,> so how about this patch ?>> Love>>>>>

-- Zaar