[modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.
Mikkel Kruse Johnsen
mikkel at linet.dk
Mon Jul 23 05:24:12 EDT 2007
Hi Douglas
Setting: "ksetup /SetRealmFlag CBS.DK Delegate" did not work. Still no
KRB5CCNAME in apache.
I have recompiled krb5-1.5 (RHEL5) with a patch to make it possible to
set the ok-as-delegate flag. I then set the flag on
"HTTP/sugi.cbs.dk at CBS.DK" and windows kerbtray shows "Ok as delegate"
checked. but there is still no KRB5CCNAME saved.
1) Just to be save, does mod_auth_kerb save KRB5CCNAME env. when running
php as a module under apache ?
2) Where should I set the ok-as-delegate, is it on my own principle or
the HTTP/sugi.cbs.dk ?
Any other info is approciated.
/Mikkel
On Wed, 2007-07-18 at 13:14 -0500, Douglas E. Engert wrote:
>
> Stephen Frost wrote:
> > * Mikkel Kruse Johnsen (mikkel at linet.dk) wrote:
> >> Now I only have the problem that mod_auth_kerb don't write my
> >> credentials to KRB5CCNAME (in PHP).
> >>
> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
> >> delegate", So I guess that is the problem.
>
>
> Have a look at the "ksetup /SetRealmFlag <realm> Delegate" command
> as it will tell a Windows client to assume the KDC has set
> the OK_AS_DELAGATE bit. This can be used where the KDC does support
> setting of the bit. But this only works on a Windows client.
>
>
> >>
> >> Under linux they are forwardable.
> > [...]
> >> I found how to set ok-as-delegate for heimdal how is this done for MIT
> >> kerberos ?
> >
> > The short answer is, you don't. For reasons unknown to me, the MIT
> > Kerberos upstream folks have seen fit to implement something in their
> > client libraries that's not done in their server. This means that even
> > a completely MIT solution breaks. We've heard of some patches going
> > around to implement the ok-as-delegate flag in the MIT KDC but havn't
> > been able to actually get a hold of them yet.
> >
> > If we're unable to we might end up writing some ourselves as this is
> > rather important to us. If we find or write patches to fix this glaring
> > problem in the MIT KDC we'll be sure to post them.
> >
> > Thanks,
> >
> > Stephen
> >
> >
> > ------------------------------------------------------------------------
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.5-mech.patch
Type: text/x-patch
Size: 602 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070723/bae675eb/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.5-ok-as-delegate.patch
Type: text/x-patch
Size: 6443 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070723/bae675eb/attachment-0001.bin
More information about the Kerberos
mailing list