[28055] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust AD

daemon@ATHENA.MIT.EDU (Stephen Frost)
Wed Jul 18 07:06:23 2007

Date: Wed, 18 Jul 2007 07:06:12 -0400
From: Stephen Frost <sfrost@snowman.net>
To: Mikkel Kruse Johnsen <mikkel@linet.dk>
Message-ID: <20070718110612.GO4887@tamriel.snowman.net>
Mail-Followup-To: Mikkel Kruse Johnsen <mikkel@linet.dk>,
	Achim Grolms <kerberosml@grolmsnet.de>,
	modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
	kerberos <kerberos@mit.edu>
MIME-Version: 1.0
In-Reply-To: <1184745677.3078.5.camel@tux.lib.cbs.dk>
Cc: modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
   kerberos <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="===============1220747422=="
Errors-To: kerberos-bounces@mit.edu


--===============1220747422==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="b3HDrgTSPI5RNpIl"
Content-Disposition: inline


--b3HDrgTSPI5RNpIl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Mikkel Kruse Johnsen (mikkel@linet.dk) wrote:
> Now I only have the problem that mod_auth_kerb don't write my
> credentials to KRB5CCNAME (in PHP).
>=20
> My "kerbtray" under windows says it is Forwardable but no "Ok to
> delegate", So I guess that is the problem.
>=20
> Under linux they are forwardable.
[...]
> I found how to set ok-as-delegate for heimdal how is this done for MIT
> kerberos ?

The short answer is, you don't.  For reasons unknown to me, the MIT
Kerberos upstream folks have seen fit to implement something in their
client libraries that's not done in their server.  This means that even
a completely MIT solution breaks.  We've heard of some patches going
around to implement the ok-as-delegate flag in the MIT KDC but havn't
been able to actually get a hold of them yet.

If we're unable to we might end up writing some ourselves as this is
rather important to us.  If we find or write patches to fix this glaring
problem in the MIT KDC we'll be sure to post them.

	Thanks,
=09
		Stephen

--b3HDrgTSPI5RNpIl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGnfQkrzgMPqB3kigRAo6SAJ9Zqk7ONqAQdXXt7vW2DRz+Er82nQCghyt4
L3ni3djaau+Q87c7ZSjKUlQ=
=28nF
-----END PGP SIGNATURE-----

--b3HDrgTSPI5RNpIl--

--===============1220747422==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============1220747422==--

home help back first fref pref prev next nref lref last post