Delegation using GSSAPI in Microsoft Kerberose based realm

ambekar_at_gmail.com
Date: 11/26/05

• Next message: Will: "Re: How to Stop a Service From Impersonating Other Users"
• Previous message: Steven L Umbach: "Re: Login Domain"
• Next in thread: ambekar_at_gmail.com: "Re: Delegation using GSSAPI in Microsoft Kerberose based realm"
• Reply: ambekar_at_gmail.com: "Re: Delegation using GSSAPI in Microsoft Kerberose based realm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 26 Nov 2005 04:17:25 -0800

Hello,
I am having Microsoft W2K server based kerberos realm. I have
configured my UNIX machines to this realm. I am able to run most of the
MIT kerberos utilities (klist, kinit, ...). I've written sample
application and sample service (service principal is created in AD as
per interoperability guide from Microsoft). I am able to do kerberos
authentication in this setup. I am using GSSAPI (gss_init_sec_context
on client side and gss_accept_sec_context on service). My final
objective is to make server application impersonate the client. For
this I've created a forwardable and proxyable TGT for the user of
client application. In client application, I am passing
GSS_C_DELEG_FLAG to gss_initi_sec_context. Although,
gss_init_sec_context does not throw any error, the return flag
(indicating the flags used for initialization of security context) does
not contain this flag. As a result, I am not getting any delegated
creds in gss_accept_sec_context. I am using Red Hat Linux and MIT
kerberos. Tickets are obtained using MIT kerberos kinit utility.
Has any one faced similar problem. Is there any known interoperability
issue?
Thanks in advance,
Ashwin

---

• Next message: Will: "Re: How to Stop a Service From Impersonating Other Users"
• Previous message: Steven L Umbach: "Re: Login Domain"
• Next in thread: ambekar_at_gmail.com: "Re: Delegation using GSSAPI in Microsoft Kerberose based realm"
• Reply: ambekar_at_gmail.com: "Re: Delegation using GSSAPI in Microsoft Kerberose based realm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Kerberos <-> Microsoft Active Directory & DNS ... It's not clear to me what component is doing a reverse lookup. ... What LDAP client with what Kerberos implementation? ... this is MIT Kerberos. ... (comp.protocols.kerberos) Re: Windows 2008 Trust To MIT Kerberos Server ... Windows then obtains a service ticket from the MIT realm with the forwarded and forwardable flags set ... With that TGT from the MIT realm, Windows is now able to obtain an LDAP service ticket from Active Directory ... I'm not a Kerberos expert like some, but I'm fairly sure this is a pretty accurate representation of how this process works. ... I have setup a trust between an Active Directory Domain and a MIT Kerberos Domain. ... (microsoft.public.windows.server.active_directory) Kerberos 5 Security Alert? ... Why wasn't there a FreeBSD security alert for Kerberos 5? ... Vulnerabilities in MIT Kerberos 5 ... arbitrary code on a KDC server, ... (FreeBSD-Security) updated patch: MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized point ... The MIT Kerberos Team has discovered a problem with the originally ... kadmind RPC lib buffer overflow, ... See DETAILS for the expanded CVSSv2 metrics for this vulnerability. ... The MIT krb5 Kerberos administration daemon is vulnerable to ... (comp.protocols.kerberos) Re: Upcoming KfW 3.x ?? ... MIT was hiring a full-time developer for KFW. ... Secure Endpoints does not have a role with regards to MIT's distribution ... 64-bit distributions of MIT KFW do not include Kerberos v4 at all. ... Consortium has not focused significant energy on the Windows platform is ... (comp.protocols.kerberos)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2005-11