[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.
Douglas E. Engert
deengert at anl.gov
Thu Jul 26 14:16:18 EDT 2007
One more idea...
Achim Grolms wrote:
> On Thursday 26 July 2007 19:41, Douglas E. Engert wrote:
>> Mikkel Kruse Johnsen wrote:
>>> Hi Douglas
>>>
>>> I have already done all these steps.
>> It still looks like the client is not delegating.
>
> I am not sure if this idea works
> but maybe you (Mikkel) can give it a try?
>
> From my point of view that means we can exclude the item
> "Client sends nothing as delegated credeatials" because from
> my point of view the logging means *something* is received.
No, the trace showed that the client obtained a TGT to forward,
but did not forward it.
reqFlags: 02
0... .... = delegFlag:False
The bit should be set, and the delegated credential would have been
in the same packet too, and it's not there. The service ticket to
authenticate to the service is there but not the delegation.
This sounds like a client issue, like the FireFox
network.negociate.* flags.
>
> My next idea is:
>
> to add more logging information to mod_auth_kerb
>
> gss_inquire_cred
> (RFC 2744, sect. 5.21.)
>
> can be used to make the logging having a closer look to
> the delegated credential 'delegated_cred'.
>
> This can be used to write name, lifetime, cred_usage and mechanisms
> to logfile.
>
> Achim
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list