Kerberos Database Sync with Sub-Domains

[Jonathan Towles]

I got it to work if I reference the UPN in the command.

The application is doing AS-Requests.

I'm guessing that they need to change the code as that needs to be applied in the GSS Kerberos H file right?

Jon Towles
CTO, Synterex
(m) 978-609-5545

  

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Tuesday, July 14, 2020 9:54 AM
To: Jonathan Towles <jjtowles at synterex.com>
Cc: Bryan Mesich <bryan.mesich at digikey.com>; kerberos at mit.edu
Subject: Re: Kerberos Database Sync with Sub-Domains

On Tue, Jul 14, 2020 at 3:37 PM Jonathan Towles <jjtowles at synterex.com> wrote:
>
> I'm working with an application inside of a Docker container that uses GSS to do Kerberos Constrained Delegation.

Constrained Delegation (S4U2Proxy) is a way to get a service ticket, but the client name is determined in a preceding step of getting an initial ticket, which can be done in two ways (only), kinit (AS
request) or protocol-transition (S4U2Self), and they both support the use of enterprise names (using client-referrals).

> I'm guessing they need to augment the code.

Could be, in recent krb5 libs you can make use of GSS_KRB5_NT_ENTERPRISE_NAME in gssapi.

> Doing some testing via kinit, I have found that kinit -E only works if the account lives in the parent domain.
>
> If I try to do a kinit -E with their samaccountname or email address, it says they're not found if they are in a child domain.

It should generally work with the UPNs (or samaccountname at realm).