[28056] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust AD

daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Wed Jul 18 07:56:07 2007

From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Achim Grolms <kerberosml@grolmsnet.de>
In-Reply-To: <200707181237.17632.kerberosml@grolmsnet.de>
Date: Wed, 18 Jul 2007 13:54:30 +0200
Message-Id: <1184759670.3078.13.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
   kerberos@mit.edu
Reply-To: mikkel@linet.dk
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi
The problem is that my HTTP/sugi.cbs.dk@CBS.DK is made on the MITkerberos server and not the AD.
So I have to set the ok-as-delegate on the MIT server, but according toStehpen that is not possible:
Question:I found how to set ok-as-delegate for heimdal how is this done for MITkerberos ?
Answer:"The short answer is, you don't.  For reasons unknown to me, the MITKerberos upstream folks have seen fit to implement something in theirclient libraries that's not done in their server.  This means that evena completely MIT solution breaks.  We've heard of some patches goingaround to implement the ok-as-delegate flag in the MIT KDC but havn'tbeen able to actually get a hold of them yet.
If we're unable to we might end up writing some ourselves as this israther important to us.  If we find or write patches to fix this glaringproblem in the MIT KDC we'll be sure to post them."
So It seems that it is not possible. I finally got my MIT Keberostwo-way trust with MS AD working. So now a user logging into either theMIT or MS AD will be able to authenticate against apache usingmod_auth_kerb. But no credetial is saved.
Hope there will be a solution for this soon.
/Mikkel

On Wed, 2007-07-18 at 12:37 +0200, Achim Grolms wrote:
> On Wednesday 18 July 2007 10:01, Mikkel Kruse Johnsen wrote:> > > Now I only have the problem that mod_auth_kerb don't write my> > credentials to KRB5CCNAME (in PHP).> > Some knowledge on Credentials delegation I have stolen from> mailinglists is now part of> <http://www.grolmsnet.de/kerbtut/credentialsdelegation.html>.> There is a "AD" section, too.> > Achim
Mikkel Kruse JohnsenLinetØrholmgade 6 st tv2200 København N
Tlf: +45 2128 7793email: mikkel@linet.dkwww: http://www.linet.dk________________________________________________Kerberos mailing list           Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post