Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Hi Markus

Yes that is what I want. I need the KRB5CCNAME (the credential) so I can
login to my OpenLDAP SASL based server and PostgreSQL with kerberos.

/Mikkel

On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:



Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing
to do with delegation. You only need delegation if you wnat that
Apache logs into a backend application with the users ID. Is that what
you want ? If see you need to be very careful as iit gives yor apache
server a lot of power if you don't use constraint delegation. You
need to protect it like a domain controller !!!

Markus

"Mikkel Kruse Johnsen" <mikkel@xxxxxxxx> wrote in message
news:1184745677.3078.5.camel@xxxxxxxxxxxxxxxxx

Hi All

That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
that patch.

Now I only have the problem that mod_auth_kerb don't write my
credentials to KRB5CCNAME (in PHP).

My "kerbtray" under windows says it is Forwardable but no "Ok
to delegate", So I guess that is the problem.

Under linux they are forwardable.

------
[mkj@tux ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib@xxxxxx

Valid starting Expires Service principal
07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/HHK.DK@xxxxxx
renew until 07/19/07 09:16:49, Flags: FRIA
07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/CBS.DK@xxxxxx
renew until 07/19/07 09:16:49, Flags: FRAO
07/18/07 09:17:04 07/18/07 19:16:55 HTTP/sugi.cbs.dk@xxxxxx
renew until 07/18/07 09:17:04, Flags: FRAT
07/18/07 09:35:35 07/18/07 19:16:55 host/sugi.cbs.dk@xxxxxx
renew until 07/18/07 09:35:35, Flags: FRAT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
--------


I found how to set ok-as-delegate for heimdal how is this done
for MIT kerberos ?

And how is it done under MS AD ?

/Mikkel


On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:

> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>
> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> > may provide more information (Cannot allocate memory)
>
> What OS and what Kerberoslibs do you use?
> Background of this question:
>
> I've seen this errormessage "Cannot allocate memory"
> (and it's solution) in
>
> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>
>
> Achim

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel@xxxxxxxx
www: http://www.linet.dk


______________________________________________________________

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourceforge.net/powerbar/db2/


______________________________________________________________

_______________________________________________
modauthkerb-help mailing list
modauthkerb-help@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

!DSPAM:46a4f4bb190711804284693!

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

!DSPAM:46a4f4bb190711804284693!
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help


!DSPAM:46a4f4bb190711804284693!

Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work: +45 21287793
Mobile: +45
21287793
Email:
mikkel@xxxxxxxx
IM:
mikkel@xxxxxxxx
(MSN)
Professional
Profile
Healthcare


Network
Consultant
.

Relevant Pages

  • Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.
    ... I need the KRB5CCNAME so I can login to my OpenLDAP SASL based server and PostgreSQL with kerberos. ... Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing to do with delegation. ... You only need delegation if you wnat that Apache logs into a backend application with the users ID. ... Now Search log events and configuration files using AJAX and a browser. ...
    (comp.protocols.kerberos)
  • Re: Windows authentication from ASP.NET to SQL Server
    ... > The reason for this is that NTLM authenticates credentials under IIS ... > IIS never receives the credentials and cannot forward them for delegation. ... But why can't I use Kerberos authentication? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Delegation in ASP.NET
    ... when you call it you have to pass in credentials and if you want to impersonate. ... use Kerberos (it will not attempt Kerberos authentication). ... > marked as trusted for delegation, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: kfw-3.2-beta2 is available
    ... The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to ... The use of ellipsis on menu items now follows the Windows ... The alternate is to open the new credentials ... Network Identity Manager Kerberos v5 Support ...
    (comp.protocols.kerberos)
  • Re: Cant get Impersonation / delegation to work
    ... the service needs to be trusted for delegation with "any protocol" ... app to Kerberos when you need to delegate to the back end. ... Make sure you have the proper SPN set on the account running the service ... allow connection to a remote SQL Server. ...
    (microsoft.public.dotnet.framework.aspnet.security)