[modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Mon Jul 23 05:24:12 EDT 2007


Hi Douglas

Setting: "ksetup /SetRealmFlag CBS.DK Delegate" did not work. Still no
KRB5CCNAME in apache.

I have recompiled krb5-1.5 (RHEL5) with a patch to make it possible to
set the ok-as-delegate flag. I then set the flag on
"HTTP/sugi.cbs.dk at CBS.DK"  and windows kerbtray shows "Ok as delegate"
checked. but there is still no KRB5CCNAME saved.

1) Just to be save, does mod_auth_kerb save KRB5CCNAME env. when running
php as a module under apache ?

2) Where should I set the ok-as-delegate, is it on my own principle or
the HTTP/sugi.cbs.dk ?

Any other info is approciated.

/Mikkel

On Wed, 2007-07-18 at 13:14 -0500, Douglas E. Engert wrote:

> 
> Stephen Frost wrote:
> > * Mikkel Kruse Johnsen (mikkel at linet.dk) wrote:
> >> Now I only have the problem that mod_auth_kerb don't write my
> >> credentials to KRB5CCNAME (in PHP).
> >>
> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
> >> delegate", So I guess that is the problem.
> 
> 
> Have a look at the "ksetup /SetRealmFlag <realm> Delegate" command
> as it will tell a Windows client to assume the KDC has set
> the OK_AS_DELAGATE bit. This can be used where the KDC does support
> setting of the bit.  But this only works on a Windows client.
> 
> 
> >>
> >> Under linux they are forwardable.
> > [...]
> >> I found how to set ok-as-delegate for heimdal how is this done for MIT
> >> kerberos ?
> > 
> > The short answer is, you don't.  For reasons unknown to me, the MIT
> > Kerberos upstream folks have seen fit to implement something in their
> > client libraries that's not done in their server.  This means that even
> > a completely MIT solution breaks.  We've heard of some patches going
> > around to implement the ok-as-delegate flag in the MIT KDC but havn't
> > been able to actually get a hold of them yet.
> > 
> > If we're unable to we might end up writing some ourselves as this is
> > rather important to us.  If we find or write patches to fix this glaring
> > problem in the MIT KDC we'll be sure to post them.
> > 
> > 	Thanks,
> > 	
> > 		Stephen
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.5-mech.patch
Type: text/x-patch
Size: 602 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070723/bae675eb/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.5-ok-as-delegate.patch
Type: text/x-patch
Size: 6443 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070723/bae675eb/attachment-0001.bin


More information about the Kerberos mailing list