[28060] in Kerberos
Re: [modauthkerb] Negotiate on Windows with cross-realm trust AD
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jul 18 14:15:01 2007
Message-ID: <469E5895.9080704@anl.gov>
Date: Wed, 18 Jul 2007 13:14:45 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Mikkel Kruse Johnsen <mikkel@linet.dk>,
Achim Grolms <kerberosml@grolmsnet.de>,
modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
kerberos <kerberos@mit.edu>
In-Reply-To: <20070718110612.GO4887@tamriel.snowman.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Stephen Frost wrote:
> * Mikkel Kruse Johnsen (mikkel@linet.dk) wrote:
>> Now I only have the problem that mod_auth_kerb don't write my
>> credentials to KRB5CCNAME (in PHP).
>>
>> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> delegate", So I guess that is the problem.
Have a look at the "ksetup /SetRealmFlag <realm> Delegate" command
as it will tell a Windows client to assume the KDC has set
the OK_AS_DELAGATE bit. This can be used where the KDC does support
setting of the bit. But this only works on a Windows client.
>>
>> Under linux they are forwardable.
> [...]
>> I found how to set ok-as-delegate for heimdal how is this done for MIT
>> kerberos ?
>
> The short answer is, you don't. For reasons unknown to me, the MIT
> Kerberos upstream folks have seen fit to implement something in their
> client libraries that's not done in their server. This means that even
> a completely MIT solution breaks. We've heard of some patches going
> around to implement the ok-as-delegate flag in the MIT KDC but havn't
> been able to actually get a hold of them yet.
>
> If we're unable to we might end up writing some ourselves as this is
> rather important to us. If we find or write patches to fix this glaring
> problem in the MIT KDC we'll be sure to post them.
>
> Thanks,
>
> Stephen
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos