kadmin 不使用 kinit 进行身份验证?
kadmin does not use kinit for authentication?
首先,我 运行 kinit {principal} -k -t {keytabfile}
使用 keytab 文件。
其次,我运行klist
检查是否存在TGT
似乎一切正常,但当我运行kadmin -p {principal}
时,仍然需要密钥表或密码。
这是否意味着 kadmin 不使用 kinit 进行身份验证?
这是 kadmin 服务主体的默认策略(为了明显的安全性)只接受直接为该服务获得的票证。您可以根据需要更改它,但不推荐。
如果您查看 kdc 日志,您会注意到
Jun 18 01:17:27 aron krb5kdc[21377](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.1.56: TGT BASED NOT ALLOWED: authtime 0, root/DOMAIN.NET for kadmin/@DOMAIN.NET, KDC policy rejects request
这是对有关此默认策略的文档的引用
Two Kerberos principals exist for use in communicating with the Admin
system: kadmin/admin and kadmin/changepw. Both principals
have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so
that service tickets for them can only be acquired via a
password-based (AS_REQ) request. Additionally, kadmin/changepw
has the KRB5_KDB_PWCHANGE_SERVICE bit set so that a principal with an
expired password can still obtain a service ticket for it.
首先,我 运行 kinit {principal} -k -t {keytabfile}
使用 keytab 文件。
其次,我运行klist
检查是否存在TGT
似乎一切正常,但当我运行kadmin -p {principal}
时,仍然需要密钥表或密码。
这是否意味着 kadmin 不使用 kinit 进行身份验证?
这是 kadmin 服务主体的默认策略(为了明显的安全性)只接受直接为该服务获得的票证。您可以根据需要更改它,但不推荐。
如果您查看 kdc 日志,您会注意到
Jun 18 01:17:27 aron krb5kdc[21377](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.1.56: TGT BASED NOT ALLOWED: authtime 0, root/DOMAIN.NET for kadmin/@DOMAIN.NET, KDC policy rejects request
这是对有关此默认策略的文档的引用
Two Kerberos principals exist for use in communicating with the Admin system: kadmin/admin and kadmin/changepw. Both principals have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so that service tickets for them can only be acquired via a password-based (AS_REQ) request. Additionally, kadmin/changepw has the KRB5_KDB_PWCHANGE_SERVICE bit set so that a principal with an expired password can still obtain a service ticket for it.