[17417] in Kerberos_V5_Development
S4U cross realm error
daemon@ATHENA.MIT.EDU (Mukul Agarwal)
Mon Nov 21 11:59:04 2011
From: Mukul Agarwal <Mukul.Agarwal@citrix.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Mon, 21 Nov 2011 21:53:50 +0530
Message-ID: <F903CD64D5FE5B47878921870531C180F11A6A4DF7@BANPMAILBOX01.citrite.net>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Dear Kerberos experts,
I am working on some use case of constrained delegation wherein I am
trying to get service ticket for a service using delegated user on
behalf of an end user. I am experimenting this using "kvno" tool where
I am getting correct service ticket if user and service is in the same
realm.
However I am getting following error for cross realm scenario when end
user and service is in different domain (I have setup 2 way trust for
this).
>kinit -f delegate_user@FOREST2.COM<mailto:delegate_user@FOREST2.COM>
>kvno -k delegate.keytab -U test1@FOREST1.COM<mailto:test1@FOREST1.COM> -P cifs/machine-forest2.forest2.com@FOREST2.COM<mailto:cifs/machine-forest2.forest2.com@FOREST2.COM>
kvno: Server not found in Kerberos database while getting credentials
for cifs/machine-forest2.forest2.com@FOREST2.COM<mailto:cifs/machine-forest2.forest2.com@FOREST2.COM>
Here "delegated_user" (part of forest2) is trying to get service ticket for
CIFS (in forest2) on behalf of user "test1" (in forest1).
Any help is appreciate.
TIA,
Mukul
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
