I got it to work if I reference the UPN in the command. The application is doing AS-Requests.
I'm guessing that they need to change the code as that needs to be applied in the GSS Kerberos H file right? Jon Towles CTO, Synterex (m) 978-609-5545 -----Original Message----- From: Isaac Boukris <[email protected]> Sent: Tuesday, July 14, 2020 9:54 AM To: Jonathan Towles <[email protected]> Cc: Bryan Mesich <[email protected]>; [email protected] Subject: Re: Kerberos Database Sync with Sub-Domains On Tue, Jul 14, 2020 at 3:37 PM Jonathan Towles <[email protected]> wrote: > > I'm working with an application inside of a Docker container that uses GSS to > do Kerberos Constrained Delegation. Constrained Delegation (S4U2Proxy) is a way to get a service ticket, but the client name is determined in a preceding step of getting an initial ticket, which can be done in two ways (only), kinit (AS request) or protocol-transition (S4U2Self), and they both support the use of enterprise names (using client-referrals). > I'm guessing they need to augment the code. Could be, in recent krb5 libs you can make use of GSS_KRB5_NT_ENTERPRISE_NAME in gssapi. > Doing some testing via kinit, I have found that kinit -E only works if the > account lives in the parent domain. > > If I try to do a kinit -E with their samaccountname or email address, it says > they're not found if they are in a child domain. It should generally work with the UPNs (or samaccountname@realm). ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
