Different Heimdal/MIT behaviour of krb5_get_credentials ?
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Jun 1 16:57:54 EDT 2007
On Jun 1, 2007, at 12:00 PM, Markus Moeller wrote:
>
> "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote in message
> news:65054D89-41A4-4CA7-B6A1-9C5059848416 at jpl.nasa.gov...
>>
>> On May 31, 2007, at 11:25 AM, Markus Moeller wrote:
>>
>>> I have a AD forest with MM.COM with domains
>>> DOM1.MM.COM,DOM2.MM.COM and
>>> SUB.DOM2.MM.COM which all trust each other. To test the
>>> availability of
>>> service tickets I created the following short program:
>>
>> Any particular reason you didn't use kvno (MIT) and kgetcred
>> (Heimdal)?
>
> Not really, only I am not sure if it will achieve what I want. My
> final
> goal is to determine easily for a user/application if a domain has
> trust to
> another. My thought was that the user does a kinit to his domain
> DOM1 (or an
> application kinit against a keytab) and then tries to get a krbtgt
> for the
> unknown domain DOM2. If he gets the tgt they have trust if not they
> don't.
>
> Does this make sense ?
Sure it does. You could do that with the utilities I listed too, but
writing your own code you've got more visibility into what's happening.
I'm sure you realize it could fail for more reasons than just lack of
a trust relationship also. I've found I can't get away from these
little hip-picket test programs when I need to debug things. Name
canonicalization and DNS (or NIS) interactions seem especially
problematic in the real world for me.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list