[28059] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Negotiate on Windows with cross-realm trust AD and MIT Kereros.

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jul 18 10:04:58 2007

Message-ID: <469E1DDC.805@anl.gov>
Date: Wed, 18 Jul 2007 09:04:12 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: mikkel@linet.dk
In-Reply-To: <1184745677.3078.5.camel@tux.lib.cbs.dk>
Cc: modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
   kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

You asked how to do this is AD...
An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the server.But not just any admin can set this, who can set the bit is controlled by a groupcontrol policy on the DC. In 2000 you had to edit a file. In 2003 there is a way toset it see below.

UserAccountControl definitions:http://support.microsoft.com/kb/305144

Some pointers to trusted for delegationhttp://support.microsoft.com/kb/250874http://support.microsoft.com/kb/322143/EN-US/http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true

Enable computer and user accounts to be trusted for delegationhttp://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true

-- 
Mikkel Kruse Johnsen wrote:> Hi All> > That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with that> patch.> > Now I only have the problem that mod_auth_kerb don't write my> credentials to KRB5CCNAME (in PHP).> > My "kerbtray" under windows says it is Forwardable but no "Ok to> delegate", So I guess that is the problem.> > Under linux they are forwardable.> > ------> [mkj@tux ~]$ klist -f> Ticket cache: FILE:/tmp/krb5cc_500> Default principal: mkj.lib@HHK.DK> > Valid starting     Expires            Service principal> 07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK@HHK.DK>         renew until 07/19/07 09:16:49, Flags: FRIA> 07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK@HHK.DK>         renew until 07/19/07 09:16:49, Flags: FRAO> 07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk@CBS.DK>         renew until 07/18/07 09:17:04, Flags: FRAT> 07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk@CBS.DK>         renew until 07/18/07 09:35:35, Flags: FRAT> > > Kerberos 4 ticket cache: /tmp/tkt500> klist: You have no tickets cached> --------> > > I found how to set ok-as-delegate for heimdal how is this done for MIT> kerberos ?> > And how is it done under MS AD ?> > /Mikkel> > > On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:> >> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:>>>>> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code>>> may provide more information (Cannot allocate memory)>> What OS and what Kerberoslibs do you use?>> Background of this question:>>>> I've seen this errormessage "Cannot allocate memory">> (and it's solution) in>>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>>>> Achim> > Mikkel Kruse Johnsen> Linet> Ørholmgade 6 st tv> 2200 København N> > Tlf: +45 2128 7793> email: mikkel@linet.dk> www: http://www.linet.dk> > > ------------------------------------------------------------------------> > diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c> --- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c	2006-06-15 00:27:54.000000000 +0200> +++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c	2007-07-18 08:59:13.000000000 +0200> @@ -34,7 +34,7 @@>  {>     *minor_status = 0;>  > -   if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {> +   if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {>           *mech_set     = GSS_C_NO_OID_SET;>           *minor_status = ENOMEM;>           return(GSS_S_FAILURE);> > > ------------------------------------------------------------------------> > ________________________________________________> Kerberos mailing list           Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
  Douglas E. Engert  <DEEngert@anl.gov>  Argonne National Laboratory  9700 South Cass Avenue  Argonne, Illinois  60439  (630) 252-5444________________________________________________Kerberos mailing list           Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post