Uploaded image for project: 'RHEL Documentation'
  1. RHEL Documentation
  2. RHELDOCS-18785

Document no support for "KDB:" kinit credentials provider with IPA

XMLWordPrintable

    • None
    • rhel-sst-idm-ipa
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • CCS 2024-18, CCS 2024-19, CCS 2024-20, CCS 2024-21
    • None
    • Unspecified
    • Unspecified
    • Unspecified

      We should make clear in the IdM documentation that the KDB: credentials provider for kinit-based pre-authentication is not supported on IdM servers.

      Initial request:
      ===================

      What were you trying to do that didn't work?

      In man page kinit, option -k [-i | -t keytab_file]:


      On a KDC, the special keytab location KDB: can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key.

      However, kinit -kt KDB: user@EXAMPLE.COM fails because the principal has attribute
      KRB5_KDB_DISALLOW_SVR or KRB5_KDB_DISALLOW_ALL_TIX.

      This behavior should be added to man page.

      Please provide the package NVR for which bug is seen:

      krb5-libs-1.21.1-1.el9.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. man kinit
      2. go to section -k [-i | -t keytab_file]

      Expected results

      Option -k [-i | -t keytab_file] should explain the attribute KRB5_KDB_DISALLOW_SVR or KRB5_KDB_DISALLOW_ALL_TIX prevent ticket request from KDC.

      Actual results

      The attributes are not explained.

              mstubna@redhat.com Michal Stubna
              rhn-support-dchen Ding Yi Chen
              Filip Hanzelka
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: