[37488] in Kerberos
Re: Forwardable TGT - Windows vs MIT behavior?
daemon@ATHENA.MIT.EDU (Ray Van Dolson)
Sat Apr 23 13:13:29 2016
Date: Sat, 23 Apr 2016 10:13:00 -0700
From: Ray Van Dolson <rvandolson@esri.com>
To: kerberos@mit.edu
Message-ID: <20160423171300.GA12879@esri.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20160423164759.GA12623@esri.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, Apr 23, 2016 at 09:47:59AM -0700, Ray Van Dolson wrote:
> On Sat, Apr 23, 2016 at 09:41:47AM -0700, Ray Van Dolson wrote:
> > Using PuTTY from a domain-joined Windows 7 machine, with that machine's
> > PuTTY stack configured to allow credential delegation and connecting to
> > a RHEL7 server, also joined to AD but *not* configured in AD to be
> > trusted for delegation, I do not get a TGT added to my cache when I
> > connect.
> >
> > However, if I use MIT Kerberos on the Windows side to obtain the ticket
> > and then configure PuTTY to prefer MIT over MS SPI, and connect to the
> > same RHEL7 machine, I *do* get a forwarded TGT (klist -f: Flags: FfPRA)
> >
> > PuTTY w/ MS SSPI works *if* I go into AD and set the target server up
> > to be configured for delegation trust.
> >
> > Can someone explain the difference in behavior? Almost feels like the
> > ticket the MIT stack is providing to PuTTY is different than the MS
> > stack's ticket.
> >
> > I also see this alluded to elsewhere[1].
> >
> > Thanks,
> > Ray
>
> Apologies for self-reply, but perhaps this is the reason?
>
> http://mailman.mit.edu/pipermail/kerberos/2014-February/019500.html
>
> Ray
Should have kept my search up. Looks like that thread revives a couple
of months later and fully explains things:
http://mailman.mit.edu/pipermail/kerberos/2014-April/019805.html
Sorry for the noise.
Ray
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
