[6853] in Kerberos
Re: Using DCE secd as a Kerberos 5 KDC (fwd)
daemon@ATHENA.MIT.EDU (V.Sander)
Fri Mar 8 10:33:21 1996
To: kerberos@MIT.EDU
Date: 8 Mar 1996 14:35:31 GMT
From: zdv123@zam092.zam.kfa-juelich.de (V.Sander)
Hello,
I am working on a project concerning about using forwardable-tickets
gotten form DCE's secd.
I use Kerberos V5 B5 (with ANL-pathces) with Transarc's DCE 1.1 under
Solaris 2.4 and all works if you use the Kerberos-API.
The problem is that Doug Engert's (great!!) k5dcelogin
(ftp://achilles.ctd.anl.gov/pub/kerberos.v5) does not find the external
TGT in the ticket cache. I've reported this error Transarc but no result
until now, though it is very easy to repoduce the error.
1.) (DCE-)Login to your DCE system
2.) Destroy your Cache file
(one easy way to achive this is calling
"k5dcelogin user", which will execute
krb5_cc_destroy(..)
3.) Run kinit -fp user
(this is the same as you would
try to use an external TGT)
4.) Again call k5dcelogin user
--> Unable to validate user@cell because Registry server unavailable (dce / sec)
So if you use Kerberos-API, one is able to use secd (DCE 1.1) as a KDC.
But one is not able to convert this TGT to a DCE-Login untill know.
Hopefully Transarc will support the sec_login_validate_identity()
call with a Null-Password soon.
Volker
