Preauth and ticket forwarding
Rachel Elizabeth Dillon
red at MIT.EDU
Wed Dec 8 13:24:30 EST 2004
On Tue, Dec 07, 2004 at 05:57:47PM -0500, Chaskiel M Grundman wrote:
> you ought to be able to tell if the client is sending a second request by
> using tcpdump or ethereal to capture packets from the network while the
> client is attempting to authenticate. (tcpdump does not have much of a krb5
> packet dissector, but you can capture packets on the kdc with tcpdump -w,
> and copy the file to another system to run ethereal)
This is absolutely the right thing to do, thank you; I hope to have a chance
to try that today and see what happens.
> The two features are not related. It's possible that the operation of
> disabling preauth somehow is dissociating the principals from the policy
> object they were using before. make sure that the user's principal (or
> relevant policy) and the krbtgt principal (or relevant policy) does not
> have DISALLOW_FORWARDABLE set on it.
Turning off preauth for the krbtgt/REALM principal makes forwarding work
without preauthentication (thanks, Sam!). I'll let the list know what
happens with the Cisco box in case anyone runs into the same problem in the
future.
Thanks, all!
-r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041208/e88b5934/attachment.bin
More information about the Kerberos
mailing list