Do you have an idea why I can't get t_s4u test program in 1.11.1 running against Windows 2008 R2 SP 1?
Set up comments from t_s4u.c /* * Test program for protocol transition (S4U2Self) and constrained delegation * (S4U2Proxy) * * Note: because of name canonicalization, the following tips may help * when configuring with Active Directory: * * - Create a computer account FOO$ * - Set the UPN to host/foo.domain (no suffix); this is necessary to * be able to send an AS-REQ as this principal, otherwise you would * need to use the canonical name (FOO$), which will cause principal * comparison errors in gss_accept_sec_context(). * - Add a SPN of host/foo.domain * - Configure the computer account to support constrained delegation with * protocol transition (Trust this computer for delegation to specified * services only / Use any authentication protocol) * - Add host/foo.domain to the keytab (possibly easiest to do this * with ktadd) * * For S4U2Proxy to work the TGT must be forwardable too. * * Usage eg: * * kinit -k -t test.keytab -f 'host/[email protected]' * ./t_s4u p:[email protected] p:HOST/[email protected] test.keytab */ >>Set the UPN to host/foo.domain (no suffix); I can't do this step, if I don't put @TOPHERVILLE.COM at the end of the UPN, then I can't do a kinit with the impersonator account. -Christopher -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nebergall, Christopher Sent: Tuesday, March 12, 2013 3:04 PM To: Greg Hudson Cc: [email protected] Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1. The test AD Server is windows 2008 R2 SP 1 in both cases. ./t_s4u p:[email protected] p:host/[email protected] /tmp/kcd_keytab_tv Protocol transition tests follow ----------------------------------- gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may provide more information gss_acquire_cred_impersonate_name: KDC has no support for padata type -Christopher -----Original Message----- From: Greg Hudson [mailto:[email protected]] Sent: Monday, March 11, 2013 10:44 PM To: Nebergall, Christopher Cc: [email protected] Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching On 03/11/2013 08:23 PM, Nebergall, Christopher wrote: > Does anyone have any tips on copying the credentials created from Kerberos > constrained delegation to a credentials cache file and back in again? This is only possible with 1.11 or later. We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal. More details at: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7046 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
