El 20/09/12 21:47, Greg Hudson escribió: > On 09/19/2012 04:07 PM, Jack Neely wrote: >> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the >> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) > Unfortunately, you can't, unless you control the code which is getting > initial tickets. If you're just using stock kinit or the like, there's > no runtime configuration option to do optimistic preauthentication. > > If you do control the code which is getting initial tickets, you can use > krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth > types to try optimistically.
Hi, check the following commit I performed some weeks ago, as part of my GSS Preauth plugin. I needed exactly the same so I implemented the functionality. https://github.com/alejandro-perez/krb5/commit/026b76a1208b4e3304e9477a897c6fb798cbc661 After applying this patch, just use -u option with the PA_DATA number along with your "kinit" command, as explained in this file https://github.com/alejandro-perez/krb5/blob/gsspreauth/src/plugins/preauth/gssapi/README.txt Regards > >> As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension, >> shouldn't it be ignoring the preauth data rather than returning an >> error? > It should, and a 1.7 or later KDC will do so. > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
