[16253] in Kerberos_V5_Development
testing s4u with windows 2008
daemon@ATHENA.MIT.EDU (Weijun Wang)
Fri Sep 10 03:46:48 2010
MIME-version: 1.0
Date: Fri, 10 Sep 2010 15:46:14 +0800
From: Weijun Wang <Weijun.Wang@sun.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>, kerberos-iteam@sun.com
Message-id: <4C89E246.3000001@sun.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi All
I'm reading http://k5wiki.kerberos.org/wiki/Manual_Testing and want to
try out the "Services4User testing" part.
The following are my understanding of the procedure. Sorry I'm not
familiar with Kerberos on Windows. My Windows domain is "EIGHT.LOCAL",
and my krb5 1.8.3 is installed on Linux.
>
> A test for Services4User can be found in tests/gssapi/t_s4u.c. You
> will need a W2K3 or higher AD domain to test this. Notes follow:
> Create a computer account FOO$ using Active Directory Users &
> Computers (ADUC)
I guess this means creating a new "computer" named "foo" even if there
is no such a computer.
> Set the UPN to host/foo.domain (no suffix); this is necessary to be
> able to send an AS-REQ as this principal, otherwise you would need
> to use the canonical name (FOO$), which will cause principal
> comparison errors in gss_accept_sec_context() (note: apparently only
> W2K8 supports suffix-less UPNs; you should use the domain as a suffix
> for earlier versions). There is an attribute editor in the W2K8 ADUC
> that lets you do this, otherwise you will need to use LDP.exe or a
> generic LDAP client.
So I turn on Windows 2008 ADUC "Advanced Features" and set the
userPrincipalName attribute of foo to host/foo.eight.local
> Add a SPN of host/foo.domain. (Again, you can use ADUC in W2K8, or
> LDP.exe/generic client.)
In the same attribute editor, add host/foo.eight.local to the
servicePrincipalName attribute (a list).
> Configure the computer account to support constrained delegation
> with protocol transition (Trust this computer for delegation to
> specified services only / Use any authentication protocol)
This is in ADUC, and I add a random service name -- http/xp.eight.local,
where xp is a real machine in the domain.
> Add host/foo.domain to the keytab (possibly easiest to do this
> manually with ktadd)
ktadd of kadmin? I have no idea how to use kadmin to manage a Windows
server. Is there an alternative method using ktpass on Windows?
> kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU'
> ./t_s4u delegtest@WIN.MIT.EDU HOST/winhost.win.mit.edu@WIN.MIT.EDU test.keytab
I cannot reach these steps yet.
Thanks
Weijun
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
