Negotiate on Windows with cross-realm trust AD and MIT Kereros.

Douglas E. Engert deengert at anl.gov
Wed Jul 18 10:04:12 EDT 2007


You asked how to do this is AD...

An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the server.
But not just any admin can set this, who can set the bit is controlled by a group
control policy on the DC. In 2000 you had to edit a file. In 2003 there is a way to
set it see below.


UserAccountControl definitions:
http://support.microsoft.com/kb/305144


Some pointers to trusted for delegation
http://support.microsoft.com/kb/250874
http://support.microsoft.com/kb/322143/EN-US/
http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true


Enable computer and user accounts to be trusted for delegation
http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true


-- 

Mikkel Kruse Johnsen wrote:
> Hi All
> 
> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with that
> patch.
> 
> Now I only have the problem that mod_auth_kerb don't write my
> credentials to KRB5CCNAME (in PHP).
> 
> My "kerbtray" under windows says it is Forwardable but no "Ok to
> delegate", So I guess that is the problem.
> 
> Under linux they are forwardable.
> 
> ------
> [mkj at tux ~]$ klist -f
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib at HHK.DK
> 
> Valid starting     Expires            Service principal
> 07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK at HHK.DK
>         renew until 07/19/07 09:16:49, Flags: FRIA
> 07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK at HHK.DK
>         renew until 07/19/07 09:16:49, Flags: FRAO
> 07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk at CBS.DK
>         renew until 07/18/07 09:17:04, Flags: FRAT
> 07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk at CBS.DK
>         renew until 07/18/07 09:35:35, Flags: FRAT
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> --------
> 
> 
> I found how to set ok-as-delegate for heimdal how is this done for MIT
> kerberos ?
> 
> And how is it done under MS AD ?
> 
> /Mikkel
> 
> 
> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
> 
>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>>
>>> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
>>> may provide more information (Cannot allocate memory)
>> What OS and what Kerberoslibs do you use?
>> Background of this question:
>>
>> I've seen this errormessage "Cannot allocate memory"
>> (and it's solution) in
>>
>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>
>>
>> Achim
> 
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
> 
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
> 
> 
> ------------------------------------------------------------------------
> 
> diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c
> --- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c	2006-06-15 00:27:54.000000000 +0200
> +++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c	2007-07-18 08:59:13.000000000 +0200
> @@ -34,7 +34,7 @@
>  {
>     *minor_status = 0;
>  
> -   if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
> +   if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
>           *mech_set     = GSS_C_NO_OID_SET;
>           *minor_status = ENOMEM;
>           return(GSS_S_FAILURE);
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list