[modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.
Stephen Frost
sfrost at snowman.net
Wed Jul 18 07:06:12 EDT 2007
* Mikkel Kruse Johnsen (mikkel at linet.dk) wrote:
> Now I only have the problem that mod_auth_kerb don't write my
> credentials to KRB5CCNAME (in PHP).
>
> My "kerbtray" under windows says it is Forwardable but no "Ok to
> delegate", So I guess that is the problem.
>
> Under linux they are forwardable.
[...]
> I found how to set ok-as-delegate for heimdal how is this done for MIT
> kerberos ?
The short answer is, you don't. For reasons unknown to me, the MIT
Kerberos upstream folks have seen fit to implement something in their
client libraries that's not done in their server. This means that even
a completely MIT solution breaks. We've heard of some patches going
around to implement the ok-as-delegate flag in the MIT KDC but havn't
been able to actually get a hold of them yet.
If we're unable to we might end up writing some ourselves as this is
rather important to us. If we find or write patches to fix this glaring
problem in the MIT KDC we'll be sure to post them.
Thanks,
Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070718/2bd8c42c/attachment.bin
More information about the Kerberos
mailing list