<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">[resending from my MIT email]<div class=""><br class=""></div><div class=""><span style="font-family: HelveticaNeue;" class="">Hi Patrick-</span><br style="font-family: HelveticaNeue;" class=""><br style="font-family: HelveticaNeue;" class=""><span style="font-family: HelveticaNeue;" class="">I believe the changes you’ll want to your krb5 config are under [domain_realm]; just add </span><a href="http://win.mit.edu" style="font-family: HelveticaNeue;" class="">win.mit.edu</a><span style="font-family: HelveticaNeue;" class=""> = </span><a href="http://win.mit.edu" style="font-family: HelveticaNeue;" class="">WIN.MIT.EDU</a><span style="font-family: HelveticaNeue;" class=""> and .</span><a href="http://win.mit.edu" style="font-family: HelveticaNeue;" class="">win.mit.edu</a><span style="font-family: HelveticaNeue;" class=""> = </span><a href="http://win.mit.edu" style="font-family: HelveticaNeue;" class="">WIN.MIT.EDU</a><span style="font-family: HelveticaNeue;" class="">. I put my edu.mit.Kerberos file in /mit/tthoma24/Public so you can see what I did (note I made other edits which you may not want).</span><br style="font-family: HelveticaNeue;" class=""><br style="font-family: HelveticaNeue;" class=""><span style="font-family: HelveticaNeue;" class="">I’m not a Kerberos expert, but I think the issue here is Kerberos cross realm doesn’t exist from the WIN realm to ATHENA realm, but DOES exist going the other way, meaning you can authenticate to WIN with an ATHENA ticket, but not the other way. Installing Kerberos extras and getting an Athena ticket was the first piece, but I don’t think the krb5 conf in Kerberos Extras for Mac defines the WIN realm, which is likely necessary to get the </span><a href="mailto:krbtgt/WIN.MIT.EDU@athena.mit.edu" style="font-family: HelveticaNeue;" class="">krbtgt/WIN.MIT.EDU@ATHENA.MIT.EDU</a><span style="font-family: HelveticaNeue;" class=""> so you can authenticate to WIN services with an ATHENA ticket.</span><br style="font-family: HelveticaNeue;" class=""><br style="font-family: HelveticaNeue;" class=""><span style="font-family: HelveticaNeue;" class="">Hope this helps. Good luck.</span><br style="font-family: HelveticaNeue;" class=""><br style="font-family: HelveticaNeue;" class=""><span style="font-family: HelveticaNeue;" class="">-Teddy</span></div><div class=""><font face="HelveticaNeue" class=""><br class=""></font><div><blockquote type="cite" class=""><div class="">On Nov 19, 2015, at 2:38 PM, Patrick McNeal <<a href="mailto:mcneal@mit.edu" class="">mcneal@mit.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Has anyone been able to get the <a href="https://ist.mit.edu/sapr3/sapgui/740/mac" class="">latest SAPgui</a> to work on a Mac OS X 10.11 machine that is bound to the WIN domain? We're using the WIN domain for authentication and authorization, but it appears the SAPgui doesn't work with kerberos tickets from the <a href="http://win.mit.edu/" class="">WIN.MIT.EDU</a> realm.<div class=""><br class=""></div><div class="">Installing <a href="http://ist.mit.edu/kerberos/extras/mac" class="">Kerberos Extras for Mac</a> works if I destroy my <a href="http://win.mit.edu/" class="">WIN.MIT.EDU</a> tickets and then obtain a TGT for the <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a> realm, but then I'm unable to access DFS or other <a href="http://win.mit.edu/" class="">WIN.MIT.EDU</a> resources.</div><div class=""><br class=""></div><div class="">For what it's worth, here is my /Library/Preferences/edu.mit.Kerberos:</div>
<div class=""><br class=""></div><div class=""><div class="">[libdefaults]</div><div class=""> default_realm = <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a></div><div class=""> forwardable = TRUE</div><div class=""> proxiable = TRUE</div><div class=""> noaddresses = TRUE</div><div class=""> allow_weak_crypto = TRUE</div><div class=""><br class=""></div><div class="">[realms]</div><div class=""> <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a> = {</div><div class=""> kdc = <a href="http://kerberos.mit.edu" class="">kerberos.mit.edu</a>.:88</div><div class=""> kdc = <a href="http://kerberos-1.mit.edu" class="">kerberos-1.mit.edu</a>.:88</div><div class=""> kdc = <a href="http://kerberos-2.mit.edu" class="">kerberos-2.mit.edu</a>.:88</div><div class=""> admin_server = <a href="http://kerberos.mit.edu/" class="">kerberos.mit.edu</a>.</div><div class=""> default_domain = <a href="http://mit.edu/" class="">mit.edu</a></div><div class=""> }</div><div class=""><br class=""></div><div class="">[domain_realm]</div><div class=""> .<a href="http://mit.edu/" class="">mit.edu</a> = <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a></div><div class=""> <a href="http://mit.edu/" class="">mit.edu</a> = <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a></div><div class=""><br class=""></div><div class="">[v4 realms]</div><div class=""> <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a> = {</div><div class=""> kdc = <a href="http://kerberos.mit.edu/" class="">kerberos.mit.edu</a>.</div><div class=""> kdc = <a href="http://kerberos-1.mit.edu/" class="">kerberos-1.mit.edu</a>.</div><div class=""> kdc = <a href="http://kerberos-2.mit.edu/" class="">kerberos-2.mit.edu</a>.</div><div class=""> admin_server = <a href="http://kerberos.mit.edu/" class="">kerberos.mit.edu</a>.</div><div class=""> default_domain = <a href="http://mit.edu/" class="">mit.edu</a></div><div class=""> string_to_key_type = mit_string_to_key</div><div class=""> }</div><div class=""><br class=""></div><div class="">[v4 domain_realm]</div><div class=""> .<a href="http://mit.edu/" class="">mit.edu</a> = <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a></div><div class=""> <a href="http://mit.edu/" class="">mit.edu</a> = <a href="http://athena.mit.edu/" class="">ATHENA.MIT.EDU</a></div><div class=""><br class=""></div><div class=""><div class="">Thanks,</div><div class=""><br class=""></div><div class="">—Patrick</div><div class=""><br clear="all" class=""><div class=""><div class="gmail_signature"><div dir="ltr" class=""><div class=""><br class=""></div><div class="">IT Manager | <span style="border-collapse:collapse" class=""><a href="http://povertyactionlab.org/" target="_blank" class="">J-PAL</a> | <a href="http://mit.edu/" target="_blank" class="">MIT</a><a class=""></a> </span>| +1 617-324-2721 | <a href="mailto:mcneal@mit.edu" target="_blank" class="">mcneal@mit.edu</a><br class=""></div></div></div></div>
</div></div></div></div>
_______________________________________________<br class="">Macpartners mailing list<br class=""><a href="mailto:Macpartners@mit.edu" class="">Macpartners@mit.edu</a><br class="">http://mailman.mit.edu/mailman/listinfo/macpartners<br class=""></div></blockquote></div><br class=""></div></body></html>