[28053] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Negotiate on Windows with cross-realm trust AD and MIT Kereros.

daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Wed Jul 18 04:01:34 2007

From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Achim Grolms <kerberosml@grolmsnet.de>
In-Reply-To: <200707172125.18286.kerberosml@grolmsnet.de>
Content-Type: multipart/mixed; boundary="=-r6se6MFX4ZH6qejfjiQN"
Date: Wed, 18 Jul 2007 10:01:17 +0200
Message-Id: <1184745677.3078.5.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
   kerberos <kerberos@mit.edu>
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@mit.edu


--=-r6se6MFX4ZH6qejfjiQN
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hi All

That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with that
patch.

Now I only have the problem that mod_auth_kerb don't write my
credentials to KRB5CCNAME (in PHP).

My "kerbtray" under windows says it is Forwardable but no "Ok to
delegate", So I guess that is the problem.

Under linux they are forwardable.

------
[mkj@tux ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib@HHK.DK

Valid starting     Expires            Service principal
07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK@HHK.DK
        renew until 07/19/07 09:16:49, Flags: FRIA
07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK@HHK.DK
        renew until 07/19/07 09:16:49, Flags: FRAO
07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk@CBS.DK
        renew until 07/18/07 09:17:04, Flags: FRAT
07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk@CBS.DK
        renew until 07/18/07 09:35:35, Flags: FRAT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
--------


I found how to set ok-as-delegate for heimdal how is this done for MIT
kerberos ?

And how is it done under MS AD ?

/Mikkel


On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:

> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
> 
> > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> > may provide more information (Cannot allocate memory)
> 
> What OS and what Kerberoslibs do you use?
> Background of this question:
> 
> I've seen this errormessage "Cannot allocate memory"
> (and it's solution) in
> 
> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>
> 
> Achim

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk

--=-r6se6MFX4ZH6qejfjiQN
Content-Disposition: attachment; filename=krb5-1.5-mech.patch
Content-Type: text/x-patch; name=krb5-1.5-mech.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit

diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c
--- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c	2006-06-15 00:27:54.000000000 +0200
+++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c	2007-07-18 08:59:13.000000000 +0200
@@ -34,7 +34,7 @@
 {
    *minor_status = 0;
 
-   if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
+   if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
          *mech_set     = GSS_C_NO_OID_SET;
          *minor_status = ENOMEM;
          return(GSS_S_FAILURE);

--=-r6se6MFX4ZH6qejfjiQN
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--=-r6se6MFX4ZH6qejfjiQN--


home help back first fref pref prev next nref lref last post