diff options
author | Greg Hudson <ghudson@mit.edu> | 2020-07-27 01:19:01 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-08-04 15:38:37 -0400 |
commit | 1d282badfbd6098e3db9d50d22d565c2ec3c8c47 (patch) | |
tree | 2b27a8484be7f6e6636105daabb3edea92344804 /doc | |
parent | a037a7694b841f7cab6eb47bd877c6710a2de8fb (diff) | |
download | krb5-1d282badfbd6098e3db9d50d22d565c2ec3c8c47.zip krb5-1d282badfbd6098e3db9d50d22d565c2ec3c8c47.tar.gz krb5-1d282badfbd6098e3db9d50d22d565c2ec3c8c47.tar.bz2 |
Try kadmin/admin first in libkadm5clnt
The MIT krb5 kadmin protocol originally used kadmin/admin as the
service principal. Commits 493f0da5fbf92b0ac2f10e887706d1964d8a15e8
and 5cfaec38a8e8f1c4b76228ba0a252987af797ca4 changed it to use
kadmin/hostname preferentially, with kadmin/admin as a fallback, for
interoperability with the Solaris SEAM administrative protocol.
Change the preference order so that kadmin/admin is tried first, with
kadmin/hostname as a fallback.
ticket: 8934 (new)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin/admin_commands/kadmin_local.rst | 14 | ||||
-rw-r--r-- | doc/admin/database.rst | 10 |
2 files changed, 12 insertions, 12 deletions
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index fafa613..33cf3a9 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -44,9 +44,9 @@ Kerberos principals, password policies, and service key tables (keytabs). The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal ``kadmin/ADMINHOST`` (where *ADMINHOST* is -the fully-qualified hostname of the admin server) or ``kadmin/admin``. -If the credentials cache contains a ticket for one of these +using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST`` +(where *ADMINHOST* is the fully-qualified hostname of the admin +server). If the credentials cache contains a ticket for one of these principals, and the **-c** credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name @@ -100,10 +100,10 @@ OPTIONS fully anonymous operation. **-c** *credentials_cache* - Use *credentials_cache* as the credentials cache. The - cache should contain a service ticket for the ``kadmin/ADMINHOST`` - (where *ADMINHOST* is the fully-qualified hostname of the admin - server) or ``kadmin/admin`` service; it can be acquired with the + Use *credentials_cache* as the credentials cache. The cache + should contain a service ticket for the ``kadmin/admin`` or + ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified + hostname of the admin server) service; it can be acquired with the :ref:`kinit(1)` program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. diff --git a/doc/admin/database.rst b/doc/admin/database.rst index e62cef7..ca19a36 100644 --- a/doc/admin/database.rst +++ b/doc/admin/database.rst @@ -26,8 +26,8 @@ local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version. kadmin can authenticate to the admin server using the service -principal ``kadmin/HOST`` (where *HOST* is the hostname of the admin -server) or ``kadmin/admin``. If the credentials cache contains a +principal ``kadmin/admin`` or ``kadmin/HOST`` (where *HOST* is the +hostname of the admin server). If the credentials cache contains a ticket for either service principal and the **-c** ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos @@ -811,9 +811,9 @@ Both master and replica sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the -default keytab file (|keytab|). In release 1.13, the -``kiprop/hostname`` principal is created automatically for the master -KDC, but it must still be created for replica KDCs. +default keytab file (|keytab|). The ``kiprop/hostname`` principal may +have been created automatically for the master KDC, but it must always +be created for replica KDCs. On the master KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the |