testing s4u with windows 2008

Weijun Wang Weijun.Wang at sun.com
Fri Sep 10 03:46:14 EDT 2010 

Hi All

I'm reading http://k5wiki.kerberos.org/wiki/Manual_Testing and want to
try out the "Services4User testing" part.

The following are my understanding of the procedure. Sorry I'm not 
familiar with Kerberos on Windows. My Windows domain is "EIGHT.LOCAL", 
and my krb5 1.8.3 is installed on Linux.

>
> A test for Services4User can be found in tests/gssapi/t_s4u.c. You
> will need a W2K3 or higher AD domain to test this. Notes follow:

> Create a computer account FOO$ using Active Directory Users &
> Computers (ADUC)

I guess this means creating a new "computer" named "foo" even if there 
is no such a computer.

> Set the UPN to host/foo.domain (no suffix); this is necessary to be
> able to send an AS-REQ as this principal, otherwise you would need
> to use the canonical name (FOO$), which will cause principal
> comparison errors in gss_accept_sec_context() (note: apparently only
> W2K8 supports suffix-less UPNs; you should use the domain as a suffix
> for earlier versions). There is an attribute editor in the W2K8 ADUC
> that lets you do this, otherwise you will need to use LDP.exe or a
> generic LDAP client.

So I turn on Windows 2008 ADUC "Advanced Features" and set the 
userPrincipalName attribute of foo to host/foo.eight.local

> Add a SPN of host/foo.domain. (Again, you can use ADUC in W2K8, or
> LDP.exe/generic client.)

In the same attribute editor, add host/foo.eight.local to the 
servicePrincipalName attribute (a list).

> Configure the computer account to support constrained delegation
> with protocol transition (Trust this computer for delegation to
> specified services only / Use any authentication protocol)

This is in ADUC, and I add a random service name -- http/xp.eight.local, 
where xp is a real machine in the domain.

> Add host/foo.domain to the keytab (possibly easiest to do this
> manually with ktadd)

ktadd of kadmin? I have no idea how to use kadmin to manage a Windows 
server. Is there an alternative method using ktpass on Windows?

> kinit -k -t test.keytab -f 'host/test.win.mit.edu at WIN.MIT.EDU'
> ./t_s4u delegtest at WIN.MIT.EDU HOST/winhost.win.mit.edu at WIN.MIT.EDU test.keytab

I cannot reach these steps yet.

Thanks
Weijun

More information about the krbdev mailing list