I'm working with an application inside of a Docker container that uses GSS to do Kerberos Constrained Delegation.
I'm guessing they need to augment the code. Doing some testing via kinit, I have found that kinit -E only works if the account lives in the parent domain. If I try to do a kinit -E with their samaccountname or email address, it says they're not found if they are in a child domain. Jon Towles CTO, Synterex (m) 978-609-5545 -----Original Message----- From: Isaac Boukris <[email protected]> Sent: Tuesday, July 14, 2020 9:35 AM To: Jonathan Towles <[email protected]> Cc: Bryan Mesich <[email protected]>; [email protected] Subject: Re: Kerberos Database Sync with Sub-Domains On Tue, Jul 14, 2020 at 3:22 PM Jonathan Towles <[email protected]> wrote: > > So by using enterprise principal names, you can essentially point it at the > parent domain KDC, and it can get a ticket for even users in the sub-domains? Client-referrals are used to locate the realm, see details in RFC 6806. > That's only something that can be done in the GSS config right? You can't do > it in the KRB5.conf file? For kinit, you just need to pass the '-E' flag, no conf involved. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
