[28060] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust AD

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jul 18 14:15:01 2007

Message-ID: <469E5895.9080704@anl.gov>
Date: Wed, 18 Jul 2007 13:14:45 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Mikkel Kruse Johnsen <mikkel@linet.dk>,
   Achim Grolms <kerberosml@grolmsnet.de>,
   modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
   kerberos <kerberos@mit.edu>
In-Reply-To: <20070718110612.GO4887@tamriel.snowman.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu



Stephen Frost wrote:
> * Mikkel Kruse Johnsen (mikkel@linet.dk) wrote:
>> Now I only have the problem that mod_auth_kerb don't write my
>> credentials to KRB5CCNAME (in PHP).
>>
>> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> delegate", So I guess that is the problem.


Have a look at the "ksetup /SetRealmFlag <realm> Delegate" command
as it will tell a Windows client to assume the KDC has set
the OK_AS_DELAGATE bit. This can be used where the KDC does support
setting of the bit.  But this only works on a Windows client.


>>
>> Under linux they are forwardable.
> [...]
>> I found how to set ok-as-delegate for heimdal how is this done for MIT
>> kerberos ?
> 
> The short answer is, you don't.  For reasons unknown to me, the MIT
> Kerberos upstream folks have seen fit to implement something in their
> client libraries that's not done in their server.  This means that even
> a completely MIT solution breaks.  We've heard of some patches going
> around to implement the ok-as-delegate flag in the MIT KDC but havn't
> been able to actually get a hold of them yet.
> 
> If we're unable to we might end up writing some ourselves as this is
> rather important to us.  If we find or write patches to fix this glaring
> problem in the MIT KDC we'll be sure to post them.
> 
> 	Thanks,
> 	
> 		Stephen
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post