include some more detail on the kadmin/admin and kadmin/changepw

distinction [krb5-doc/130]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9252 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 2 deletions

diff --git a/doc/kadm5/api-funcspec.tex b/doc/kadm5/api-funcspec.tex
index 5def7a78ac..e799eacc44 100644
--- a/doc/kadm5/api-funcspec.tex
+++ b/doc/kadm5/api-funcspec.tex
@@ -772,8 +772,15 @@ service principal, but the sets of operations that can be performed by
 a request authenticated to each service are different.  In particular,
 only the functions chpass_principal, randkey_principal, get_principal,
 and get_policy can be performed by a request authenticated to the
-kadmin/changepw service.  The function semantics descriptions below
-give the precise details.
+kadmin/changepw service, and they can only be performed when the
+target principal of the operation is the same as the authenticated
+client principal; the function semantics descriptions below give the
+precise details.  This means that administrative operations can only
+be performed when authenticated to the kadmin/admin service.  The
+reason for this distinction is that tickets for kadmin/changepw can be
+acquired with an expired password, and the KADM system does not want
+to allow an administrator with an expired password to perform
+administrative operations on arbitrary principals.
 
 Each Admin API operation authenticated to the kadmin/admin service
 requires a specific authorization to run.  This version uses a simple