|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
MIME-Version: 1.0 In-Reply-To: <051b3c09d14c4e80a2159b7fc3045aa1@MERCMBX45R.na.SAS.com> From: Todd Grayson <tgrayson@cloudera.com> Date: Fri, 18 Nov 2016 10:43:54 -0700 Message-ID: <CALNT6MUsjjteJaTce_L+sgpEANbVKRvt53=X5u=TQRqEYWHW-g@mail.gmail.com> To: Mauro Cazzari <Mauro.Cazzari@sas.com> Cc: "Kerberos@mit.edu" <kerberos@mit.edu> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu You might be able to do some sort of powershell script? I don't think the KFW has a startup context to it. The thin is you would need to pass credentials in somehow which starts to weaken the integrity of the security model once you start caching passwords/keytabs. We should know, Hadoop is the poster child of poor credential handling (and a ton of work is going into cleaning that all up). On Friday, November 18, 2016, Mauro Cazzari <Mauro.Cazzari@sas.com> wrote: > One more thing: if MIT Kerberos is installed, is there a way to populate > the KRB5CCNAME cache file automatically when I log on to Windows without > having to use a keytab or having to run a kinit under the covers? > > > > *From:* Todd Grayson [mailto:tgrayson@cloudera.com > <javascript:_e(%7B%7D,'cvml','tgrayson@cloudera.com');>] > *Sent:* Friday, November 18, 2016 11:34 AM > *To:* Mauro Cazzari <Mauro.Cazzari@sas.com > <javascript:_e(%7B%7D,'cvml','Mauro.Cazzari@sas.com');>> > *Cc:* Kerberos@mit.edu <javascript:_e(%7B%7D,'cvml','Kerberos@mit.edu');> > *Subject:* Re: Can I automatically cache AD tickets into a file on > windows? > > > > From what I understand, the windows SSPI implementation does not provide a > facility to hold the credentials in a file. You would use the MIT KFW to > be able to do that. > > On Friday, November 18, 2016, Mauro Cazzari <Mauro.Cazzari@sas.com > <javascript:_e(%7B%7D,'cvml','Mauro.Cazzari@sas.com');>> wrote: > > Kerberos experts, > Is there a way to automatically cache AD-generated tickets to the file > provided through the KRB5CCNAME environment variable on Windows without > having to run a kinit? My understanding is that Windows caches tickets in > memory (whereas Unix does the same on file). Do I need to install MIT > Kerberos, or (ideally) can I just use the copy of Kerberos that comes with > Windows to achieve my goal? > Thanks! > Mauro. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > -- > > Todd Grayson > > Business Operations Manager > > Customer Operations Engineering > > Security SME > > > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |