Can I automatically cache AD tickets into a file on windows?

Todd Grayson tgrayson at cloudera.com
Fri Nov 18 12:43:54 EST 2016 

You might be able to do some sort of powershell script?  I don't think the
KFW has a startup context to it.  The thin is you would need to pass
credentials in somehow which starts to weaken the integrity of the security
model once you start caching passwords/keytabs.  We should know, Hadoop is
the poster child of poor credential handling (and a ton of work is going
into cleaning that all up).

On Friday, November 18, 2016, Mauro Cazzari <Mauro.Cazzari at sas.com> wrote:

> One more thing: if MIT Kerberos is installed, is there a way to populate
> the KRB5CCNAME cache file automatically when I log on to Windows without
> having to use a keytab or having to run a kinit under the covers?
>
>
>
> *From:* Todd Grayson [mailto:tgrayson at cloudera.com
> <javascript:_e(%7B%7D,'cvml','tgrayson at cloudera.com');>]
> *Sent:* Friday, November 18, 2016 11:34 AM
> *To:* Mauro Cazzari <Mauro.Cazzari at sas.com
> <javascript:_e(%7B%7D,'cvml','Mauro.Cazzari at sas.com');>>
> *Cc:* Kerberos at mit.edu <javascript:_e(%7B%7D,'cvml','Kerberos at mit.edu');>
> *Subject:* Re: Can I automatically cache AD tickets into a file on
> windows?
>
>
>
> From what I understand, the windows SSPI implementation does not provide a
> facility to hold the credentials in a file.  You would use the MIT KFW to
> be able to do that.
>
> On Friday, November 18, 2016, Mauro Cazzari <Mauro.Cazzari at sas.com
> <javascript:_e(%7B%7D,'cvml','Mauro.Cazzari at sas.com');>> wrote:
>
> Kerberos experts,
> Is there a way to automatically cache AD-generated tickets to the file
> provided through the KRB5CCNAME environment variable on Windows without
> having to run a kinit? My understanding is that Windows caches tickets in
> memory (whereas Unix does the same on file). Do I need to install MIT
> Kerberos, or (ideally) can I just use the copy of Kerberos that comes with
> Windows to achieve my goal?
> Thanks!
> Mauro.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> --
>
> Todd Grayson
>
> Business Operations Manager
>
> Customer Operations Engineering
>
> Security SME
>
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

More information about the Kerberos mailing list