Hi Greg, OK, that’s what I was afraid of. It’ll make things a bit tricker, but I think we’ve identified a way to manage that. Thanks for the information!
Stephan Kemper ViaSat, Inc. On 12/19/16, 8:54 PM, "Greg Hudson" <[email protected]> wrote: On 12/19/2016 03:50 PM, Kemper, Stephan wrote: > The problem is with our admin principals. I can’t seem to get our KDC to hand me the service ticket that I want. Each time I run a `kinit -S kadmin/[email protected] -c ccache skemper/[email protected]` I get back a service of kadmin/[email protected], the root realm. kinit performs an AS request. AS requests cannot be cross-realm, and the kinit -S flag can only specifies the name part of the service principal, not the realm. Because kadmin tickets must be obtained via AS request, there isn't currently any way to do cross-realm administration; each realm must have its own administrative principals. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
