[38798] in Kerberos
RE: Kerberos Database Sync with Sub-Domains
daemon@ATHENA.MIT.EDU (Jonathan Towles)
Tue Jul 14 09:45:02 2020
From: Jonathan Towles <jjtowles@synterex.com>
To: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jul 2020 13:37:15 +0000
Message-ID: <MN2PR15MB3071069069425650C1FE89CCB9610@MN2PR15MB3071.namprd15.prod.outlook.com>
In-Reply-To: <CAC-fF8R9BSmW8MokUxt3ybGB0ANG9iUNQarbf17jTx4y3TJzRA@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm working with an application inside of a Docker container that uses GSS to do Kerberos Constrained Delegation.
I'm guessing they need to augment the code.
Doing some testing via kinit, I have found that kinit -E only works if the account lives in the parent domain.
If I try to do a kinit -E with their samaccountname or email address, it says they're not found if they are in a child domain.
Jon Towles
CTO, Synterex
(m) 978-609-5545
-----Original Message-----
From: Isaac Boukris <iboukris@gmail.com>
Sent: Tuesday, July 14, 2020 9:35 AM
To: Jonathan Towles <jjtowles@synterex.com>
Cc: Bryan Mesich <bryan.mesich@digikey.com>; kerberos@mit.edu
Subject: Re: Kerberos Database Sync with Sub-Domains
On Tue, Jul 14, 2020 at 3:22 PM Jonathan Towles <jjtowles@synterex.com> wrote:
>
> So by using enterprise principal names, you can essentially point it at the parent domain KDC, and it can get a ticket for even users in the sub-domains?
Client-referrals are used to locate the realm, see details in RFC 6806.
> That's only something that can be done in the GSS config right? You can't do it in the KRB5.conf file?
For kinit, you just need to pass the '-E' flag, no conf involved.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
