[modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Wed Jul 18 07:54:30 EDT 2007


Hi

The problem is that my HTTP/sugi.cbs.dk at CBS.DK is made on the MIT
kerberos server and not the AD.

So I have to set the ok-as-delegate on the MIT server, but according to
Stehpen that is not possible:

Question:
I found how to set ok-as-delegate for heimdal how is this done for MIT
kerberos ?

Answer:
"The short answer is, you don't.  For reasons unknown to me, the MIT
Kerberos upstream folks have seen fit to implement something in their
client libraries that's not done in their server.  This means that even
a completely MIT solution breaks.  We've heard of some patches going
around to implement the ok-as-delegate flag in the MIT KDC but havn't
been able to actually get a hold of them yet.

If we're unable to we might end up writing some ourselves as this is
rather important to us.  If we find or write patches to fix this glaring
problem in the MIT KDC we'll be sure to post them."

So It seems that it is not possible. I finally got my MIT Keberos
two-way trust with MS AD working. So now a user logging into either the
MIT or MS AD will be able to authenticate against apache using
mod_auth_kerb. But no credetial is saved.

Hope there will be a solution for this soon.

/Mikkel


On Wed, 2007-07-18 at 12:37 +0200, Achim Grolms wrote:

> On Wednesday 18 July 2007 10:01, Mikkel Kruse Johnsen wrote:
> 
> > Now I only have the problem that mod_auth_kerb don't write my
> > credentials to KRB5CCNAME (in PHP).
> 
> Some knowledge on Credentials delegation I have stolen from
> mailinglists is now part of
> <http://www.grolmsnet.de/kerbtut/credentialsdelegation.html>.
> There is a "AD" section, too.
> 
> Achim

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk



More information about the Kerberos mailing list