[28053] in Kerberos
Re: Negotiate on Windows with cross-realm trust AD and MIT Kereros.
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Wed Jul 18 04:01:34 2007
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Achim Grolms <kerberosml@grolmsnet.de>
In-Reply-To: <200707172125.18286.kerberosml@grolmsnet.de>
Content-Type: multipart/mixed; boundary="=-r6se6MFX4ZH6qejfjiQN"
Date: Wed, 18 Jul 2007 10:01:17 +0200
Message-Id: <1184745677.3078.5.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
kerberos <kerberos@mit.edu>
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@mit.edu
--=-r6se6MFX4ZH6qejfjiQN
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Hi All
That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with that
patch.
Now I only have the problem that mod_auth_kerb don't write my
credentials to KRB5CCNAME (in PHP).
My "kerbtray" under windows says it is Forwardable but no "Ok to
delegate", So I guess that is the problem.
Under linux they are forwardable.
------
[mkj@tux ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib@HHK.DK
Valid starting Expires Service principal
07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/HHK.DK@HHK.DK
renew until 07/19/07 09:16:49, Flags: FRIA
07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/CBS.DK@HHK.DK
renew until 07/19/07 09:16:49, Flags: FRAO
07/18/07 09:17:04 07/18/07 19:16:55 HTTP/sugi.cbs.dk@CBS.DK
renew until 07/18/07 09:17:04, Flags: FRAT
07/18/07 09:35:35 07/18/07 19:16:55 host/sugi.cbs.dk@CBS.DK
renew until 07/18/07 09:35:35, Flags: FRAT
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
--------
I found how to set ok-as-delegate for heimdal how is this done for MIT
kerberos ?
And how is it done under MS AD ?
/Mikkel
On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>
> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> > may provide more information (Cannot allocate memory)
>
> What OS and what Kerberoslibs do you use?
> Background of this question:
>
> I've seen this errormessage "Cannot allocate memory"
> (and it's solution) in
>
> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>
>
> Achim
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk
--=-r6se6MFX4ZH6qejfjiQN
Content-Disposition: attachment; filename=krb5-1.5-mech.patch
Content-Type: text/x-patch; name=krb5-1.5-mech.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit
diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c
--- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c 2006-06-15 00:27:54.000000000 +0200
+++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c 2007-07-18 08:59:13.000000000 +0200
@@ -34,7 +34,7 @@
{
*minor_status = 0;
- if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
+ if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
*mech_set = GSS_C_NO_OID_SET;
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
--=-r6se6MFX4ZH6qejfjiQN
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--=-r6se6MFX4ZH6qejfjiQN--