Negotiate on Windows with cross-realm trust AD and MIT Kereros.
Douglas E. Engert
deengert at anl.gov
Wed Jul 18 10:04:12 EDT 2007
You asked how to do this is AD...
An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the server.
But not just any admin can set this, who can set the bit is controlled by a group
control policy on the DC. In 2000 you had to edit a file. In 2003 there is a way to
set it see below.
UserAccountControl definitions:
http://support.microsoft.com/kb/305144
Some pointers to trusted for delegation
http://support.microsoft.com/kb/250874
http://support.microsoft.com/kb/322143/EN-US/
http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true
Enable computer and user accounts to be trusted for delegation
http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true
--
Mikkel Kruse Johnsen wrote:
> Hi All
>
> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with that
> patch.
>
> Now I only have the problem that mod_auth_kerb don't write my
> credentials to KRB5CCNAME (in PHP).
>
> My "kerbtray" under windows says it is Forwardable but no "Ok to
> delegate", So I guess that is the problem.
>
> Under linux they are forwardable.
>
> ------
> [mkj at tux ~]$ klist -f
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib at HHK.DK
>
> Valid starting Expires Service principal
> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/HHK.DK at HHK.DK
> renew until 07/19/07 09:16:49, Flags: FRIA
> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/CBS.DK at HHK.DK
> renew until 07/19/07 09:16:49, Flags: FRAO
> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/sugi.cbs.dk at CBS.DK
> renew until 07/18/07 09:17:04, Flags: FRAT
> 07/18/07 09:35:35 07/18/07 19:16:55 host/sugi.cbs.dk at CBS.DK
> renew until 07/18/07 09:35:35, Flags: FRAT
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> --------
>
>
> I found how to set ok-as-delegate for heimdal how is this done for MIT
> kerberos ?
>
> And how is it done under MS AD ?
>
> /Mikkel
>
>
> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
>
>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>>
>>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>>> may provide more information (Cannot allocate memory)
>> What OS and what Kerberoslibs do you use?
>> Background of this question:
>>
>> I've seen this errormessage "Cannot allocate memory"
>> (and it's solution) in
>>
>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>
>>
>> Achim
>
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
>
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
>
>
> ------------------------------------------------------------------------
>
> diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c
> --- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c 2006-06-15 00:27:54.000000000 +0200
> +++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c 2007-07-18 08:59:13.000000000 +0200
> @@ -34,7 +34,7 @@
> {
> *minor_status = 0;
>
> - if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
> + if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
> *mech_set = GSS_C_NO_OID_SET;
> *minor_status = ENOMEM;
> return(GSS_S_FAILURE);
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list