[38244] in Kerberos

home help back first fref pref prev next nref lref last post

Question about TGT forwarding

daemon@ATHENA.MIT.EDU (Jason Edgecombe)
Thu May 31 16:51:35 2018

MIME-Version: 1.0
From: Jason Edgecombe <jwedgeco@uncc.edu>
Date: Thu, 31 May 2018 16:50:36 -0400
Message-ID: <CAAR6MGBixWyjUpoV5X0eEaJxPg2P+8gXktHNy5m3TU71mk_J5Q@mail.gmail.com>
To: Kerberos List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi everyone,

We're noticing some odd behaviour on our Windows clients where the Windows
clients are not forwarding the TGT to our Linux servers. People can login
to the Linux servers from windows clients, but "klist" shows no tickets
after login. Linux clients forward the TGT just fine. In case it matters,
we just moved our Linux home directories from a NAS with Kerberized SMB to
a Linux NFS server with Kerberized NFS. I've had to disable GSSAPI
authentication in openssh so that windows users can still get tickets on
the remote end.

I have a disagreement with our AD guru on whether or not TGTs are expected
to be forwarded and if that is a security risk. Everything worked fine a
few weeks ago.

Any help is appreciated.

Thanks,
Jason
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedgeco@uncc.edu | http://engr.uncc.edu |  Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943.  Thank you.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post