openssh + kerberos + windows ad
Christopher D. Clausen
cclausen at acm.org
Thu Jan 7 18:11:08 EST 2010
Marcello Mezzanotti <marcello.mezzanotti at gmail.com> wrote:
> On Wed, Jan 6, 2010 at 12:30 PM, Bob Rasmussen <ras at anzio.com> wrote:
>> 1) What version(s) of PuTTY work in your environment? Did you try the
>> developer's build from the official PuTTY site?
>
> http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip
>
> i tested another clients that worked too, but this is the only one
> that i got tickets (klist on linux). i didnt have time to test other
> krb5.conf options.
Note that when using SSPI credentials, you generally will NOT get
"delegated" tickets on the remote system due to AD's security model.
You need to mess around with "trusted for delegation" settings on the AD
computer account in question to enable credential delegation when using
SSPI and not KfW.
If you copy tickets from SSPI to KfW (using ms2mit.exe or similar) then
this problem goes away.
Additionally, SSPI doesn't handle realm trusts the same way that KfW
does. Sometimes SSPI is better (mainly for trusts between Windows
realms) and sometimes the KfW behaviour is better (in my case for trusts
from AD to non-AD realms.)
The trick is to know what programs use which API and properly configure
it the way you need it to work.
-----
I'll also again mention this version of putty:
http://matthew.loar.name/software/putty/
<<CDC
More information about the Kerberos
mailing list