[37792] in Kerberos
RE: Can I automatically cache AD tickets into a file on windows?
daemon@ATHENA.MIT.EDU (Mauro Cazzari)
Sun Nov 20 21:50:29 2016
From: Mauro Cazzari <Mauro.Cazzari@sas.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Date: Mon, 21 Nov 2016 02:50:09 +0000
Message-ID: <f0ec2a4b301d465a892de8790ce09798@MERCMBX45R.na.SAS.com>
In-Reply-To: <20161120211248.GZ86797@kduck.kaduk.org>
Content-Language: en-US
MIME-Version: 1.0
Cc: "Kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Perfect! I'll give it a shot to see if it works in my case.
Thanks!
-----Original Message-----
From: Benjamin Kaduk [mailto:kaduk@mit.edu]
Sent: Sunday, November 20, 2016 4:13 PM
To: Mauro Cazzari <Mauro.Cazzari@sas.com>
Cc: Todd Grayson <tgrayson@cloudera.com>; Kerberos@mit.edu
Subject: Re: Can I automatically cache AD tickets into a file on windows?
On Fri, Nov 18, 2016 at 04:51:03PM +0000, Mauro Cazzari wrote:
> One more thing: if MIT Kerberos is installed, is there a way to populate the KRB5CCNAME cache file automatically when I log on to Windows without having to use a keytab or having to run a kinit under the covers?
MIT KfW does include a utility "ms2mit.exe" that attempts to export kerberos credentials from the Windows LSA to a KfW credentials cache (which by default will be an API: cache but can be configured to be a FILE: cache). However, those attempts will fail in some situations, such as when the user is a local administrator, on recent versions of Windows. Some sites have run ms2mit during the login process to get that sort of behavior; however, in the KfW 4.1 series, the LSA: support is improved and it may be feasible to just use the LSA: cache directly.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
