[27270] in Kerberos

home help back first fref pref prev next nref lref last post

Re: putty/winscp with gssapi/krb5 ticket forwarding

daemon@ATHENA.MIT.EDU (Lars Schimmer)
Fri Jan 26 05:38:54 2007

Message-ID: <45B9D002.9000208@cgv.tugraz.at>
Date: Fri, 26 Jan 2007 10:55:14 +0100
From: Lars Schimmer <l.schimmer@cgv.tugraz.at>
MIME-Version: 1.0
CC: kerberos <kerberos@mit.edu>
In-Reply-To: <45B99485.1030203@tpg.com.au>
X-SA-Exim-Mail-From: l.schimmer@cgv.tugraz.at
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Irvine at home wrote:
> Hi Lars,
> 
> Lars Schimmer wrote:
> Hi!
> 
> After some testing I got a few test PCs with debians "etch" system do
> ticket forwarding and obtaining afs tokens.
> Now I want to use putty and winscp from windows to login without a
> password on that machines.
> 
>> See this link:
> 
>> http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html

Thanks for the link.
Maybe I don´t get it right on my thoughts.
Setup here:
AD with 1 server and x clients
krb5 server on debian on extra machine
on each client MIT krb5 and OpenAFS 1.4.x on debian, 1.5.12 on windows
on windows clients: krb5 config with the krb5 server entry and "obtain
tokens for OpenAFS while login enabled"
til yet no special entries for krb5 in AD.
I assume the user on windows obtain a token and a valid ticket from the
linux krb5 server while logging in (else the token wouldn´t be valid)
So a valid ticket for user is available in the cache.
In https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian I´ve
read to create a host/...@CGV... entry in my database for every PC and
extract that to a krb5.keytab (ank host/..@CGV.. - ktadd -k krb5.keytab
host/....@CGV... for every PC). That keytab I copied to /etc/krb5.keytab
on every PC and it works on debian.
Now I thought that was the way it should work on windows. But it seems,
I was wrong.

So I need to create special user entries in the AD database. One entry
for all machines or one entry per linux pc?
Do I really have to crete them in the AD as my krb5 doesn´t interact
with the AD?

MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFudACmWhuE0qbFyMRAt78AJ9GvQOcWVGAmhjZA/Ce0gyrZAn9bgCbBtdW
6h5W05khsYM8MT3XARMiiMM=
=/HQv
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home help back first fref pref prev next nref lref last post