[modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.
Douglas E. Engert
deengert at anl.gov
Wed Jul 18 14:14:45 EDT 2007
Stephen Frost wrote:
> * Mikkel Kruse Johnsen (mikkel at linet.dk) wrote:
>> Now I only have the problem that mod_auth_kerb don't write my
>> credentials to KRB5CCNAME (in PHP).
>>
>> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> delegate", So I guess that is the problem.
Have a look at the "ksetup /SetRealmFlag <realm> Delegate" command
as it will tell a Windows client to assume the KDC has set
the OK_AS_DELAGATE bit. This can be used where the KDC does support
setting of the bit. But this only works on a Windows client.
>>
>> Under linux they are forwardable.
> [...]
>> I found how to set ok-as-delegate for heimdal how is this done for MIT
>> kerberos ?
>
> The short answer is, you don't. For reasons unknown to me, the MIT
> Kerberos upstream folks have seen fit to implement something in their
> client libraries that's not done in their server. This means that even
> a completely MIT solution breaks. We've heard of some patches going
> around to implement the ok-as-delegate flag in the MIT KDC but havn't
> been able to actually get a hold of them yet.
>
> If we're unable to we might end up writing some ourselves as this is
> rather important to us. If we find or write patches to fix this glaring
> problem in the MIT KDC we'll be sure to post them.
>
> Thanks,
>
> Stephen
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list