[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Mon Jul 23 16:36:43 EDT 2007 

Hi Markus

Yes that is what I want. I need the KRB5CCNAME (the credential) so I can
login to my OpenLDAP SASL based server and PostgreSQL with kerberos.

/Mikkel

On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:

>  
> 
> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing
> to do with delegation.  You only need delegation if you wnat that
> Apache logs into a backend application with the users ID. Is that what
> you want ? If see you need to be very careful as iit gives yor apache
> server a lot of power if you don't use constraint delegation.  You
> need to protect it like a domain controller !!!
>  
> Markus
>  
>         "Mikkel Kruse Johnsen" <mikkel at linet.dk> wrote in message
>         news:1184745677.3078.5.camel at tux.lib.cbs.dk...
>         
>         Hi All
>         
>         That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
>         that patch.
>         
>         Now I only have the problem that mod_auth_kerb don't write my
>         credentials to KRB5CCNAME (in PHP).
>         
>         My "kerbtray" under windows says it is Forwardable but no "Ok
>         to delegate", So I guess that is the problem.
>         
>         Under linux they are forwardable.
>         
>         ------
>         [mkj at tux ~]$ klist -f
>         Ticket cache: FILE:/tmp/krb5cc_500
>         Default principal: mkj.lib at HHK.DK
>         
>         Valid starting     Expires            Service principal
>         07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK at HHK.DK
>                 renew until 07/19/07 09:16:49, Flags: FRIA
>         07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK at HHK.DK
>                 renew until 07/19/07 09:16:49, Flags: FRAO
>         07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk at CBS.DK
>                 renew until 07/18/07 09:17:04, Flags: FRAT
>         07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk at CBS.DK
>                 renew until 07/18/07 09:35:35, Flags: FRAT
>         
>         
>         Kerberos 4 ticket cache: /tmp/tkt500
>         klist: You have no tickets cached
>         --------
>         
>         
>         I found how to set ok-as-delegate for heimdal how is this done
>         for MIT kerberos ?
>         
>         And how is it done under MS AD ?
>         
>         /Mikkel
>         
>         
>         On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote: 
>         
>         > On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>         > 
>         > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
>         > > may provide more information (Cannot allocate memory)
>         > 
>         > What OS and what Kerberoslibs do you use?
>         > Background of this question:
>         > 
>         > I've seen this errormessage "Cannot allocate memory"
>         > (and it's solution) in
>         > 
>         > <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>
>         > 
>         > Achim
>         
>         Mikkel Kruse Johnsen
>         Linet
>         Ørholmgade 6 st tv
>         2200 København N
>         
>         Tlf: +45 2128 7793
>         email: mikkel at linet.dk
>         www: http://www.linet.dk 
>         
>         
>         ______________________________________________________________
>         
>         -------------------------------------------------------------------------
>         This SF.net email is sponsored by DB2 Express
>         Download DB2 Express C - the FREE version of DB2 express and
>         take
>         control of your XML. No limits. Just data. Click to get it
>         now.
>         http://sourceforge.net/powerbar/db2/ 
>         
>         
>         ______________________________________________________________
>         
>         _______________________________________________
>         modauthkerb-help mailing list
>         modauthkerb-help at lists.sourceforge.net
>         https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> 
> !DSPAM:46a4f4bb190711804284693! 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> !DSPAM:46a4f4bb190711804284693!
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> 
> 
> !DSPAM:46a4f4bb190711804284693!

Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work: +45 21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant

More information about the Kerberos mailing list