[38799] in Kerberos
Re: Kerberos Database Sync with Sub-Domains
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Tue Jul 14 09:57:07 2020
MIME-Version: 1.0
In-Reply-To: <MN2PR15MB3071069069425650C1FE89CCB9610@MN2PR15MB3071.namprd15.prod.outlook.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jul 2020 15:54:05 +0200
Message-ID: <CAC-fF8Qi=a+_dfoJ6uDmvXGef18+z27uwQAPic74tsyfN9VrRA@mail.gmail.com>
To: Jonathan Towles <jjtowles@synterex.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jul 14, 2020 at 3:37 PM Jonathan Towles <jjtowles@synterex.com> wrote:
>
> I'm working with an application inside of a Docker container that uses GSS to do Kerberos Constrained Delegation.
Constrained Delegation (S4U2Proxy) is a way to get a service ticket,
but the client name is determined in a preceding step of getting an
initial ticket, which can be done in two ways (only), kinit (AS
request) or protocol-transition (S4U2Self), and they both support the
use of enterprise names (using client-referrals).
> I'm guessing they need to augment the code.
Could be, in recent krb5 libs you can make use of
GSS_KRB5_NT_ENTERPRISE_NAME in gssapi.
> Doing some testing via kinit, I have found that kinit -E only works if the account lives in the parent domain.
>
> If I try to do a kinit -E with their samaccountname or email address, it says they're not found if they are in a child domain.
It should generally work with the UPNs (or samaccountname@realm).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
