[28113] in Kerberos
Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Jul 26 14:16:25 2007
Message-ID: <46A8E4F2.6050902@anl.gov>
Date: Thu, 26 Jul 2007 13:16:18 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: achim@grolmsnet.de
In-Reply-To: <200707261947.02667.achim@grolmsnet.de>
Cc: modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
One more idea...
Achim Grolms wrote:
> On Thursday 26 July 2007 19:41, Douglas E. Engert wrote:
>> Mikkel Kruse Johnsen wrote:
>>> Hi Douglas
>>>
>>> I have already done all these steps.
>> It still looks like the client is not delegating.
>
> I am not sure if this idea works
> but maybe you (Mikkel) can give it a try?
>
> From my point of view that means we can exclude the item
> "Client sends nothing as delegated credeatials" because from
> my point of view the logging means *something* is received.
No, the trace showed that the client obtained a TGT to forward,
but did not forward it.
reqFlags: 02
0... .... = delegFlag:False
The bit should be set, and the delegated credential would have been
in the same packet too, and it's not there. The service ticket to
authenticate to the service is there but not the delegation.
This sounds like a client issue, like the FireFox
network.negociate.* flags.
>
> My next idea is:
>
> to add more logging information to mod_auth_kerb
>
> gss_inquire_cred
> (RFC 2744, sect. 5.21.)
>
> can be used to make the logging having a closer look to
> the delegated credential 'delegated_cred'.
>
> This can be used to write name, lifetime, cred_usage and mechanisms
> to logfile.
>
> Achim
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos