[EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
Nebergall, Christopher
cneberg at sandia.gov
Tue Mar 12 17:03:47 EDT 2013
Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1. The test AD Server is windows 2008 R2 SP 1 in both cases.
./t_s4u p:testusr1 at TOPHERVILLE.COM p:host/testkcd2.topherville.com at TOPHERVILLE.COM /tmp/kcd_keytab_tv
Protocol transition tests follow
-----------------------------------
gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may provide more information
gss_acquire_cred_impersonate_name: KDC has no support for padata type
-Christopher
-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU]
Sent: Monday, March 11, 2013 10:44 PM
To: Nebergall, Christopher
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
On 03/11/2013 08:23 PM, Nebergall, Christopher wrote:
> Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?
This is only possible with 1.11 or later. We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal. More details at:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7046
More information about the Kerberos
mailing list