You asked how to do this is AD... An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the server. But not just any admin can set this, who can set the bit is controlled by a group control policy on the DC. In 2000 you had to edit a file. In 2003 there is a way to set it see below.
UserAccountControl definitions: http://support.microsoft.com/kb/305144 Some pointers to trusted for delegation http://support.microsoft.com/kb/250874 http://support.microsoft.com/kb/322143/EN-US/ http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true Enable computer and user accounts to be trusted for delegation http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true -- Mikkel Kruse Johnsen wrote: > Hi All > > That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with that > patch. > > Now I only have the problem that mod_auth_kerb don't write my > credentials to KRB5CCNAME (in PHP). > > My "kerbtray" under windows says it is Forwardable but no "Ok to > delegate", So I guess that is the problem. > > Under linux they are forwardable. > > ------ > [EMAIL PROTECTED] ~]$ klist -f > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED] > renew until 07/19/07 09:16:49, Flags: FRIA > 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED] > renew until 07/19/07 09:16:49, Flags: FRAO > 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/[EMAIL PROTECTED] > renew until 07/18/07 09:17:04, Flags: FRAT > 07/18/07 09:35:35 07/18/07 19:16:55 host/[EMAIL PROTECTED] > renew until 07/18/07 09:35:35, Flags: FRAT > > > Kerberos 4 ticket cache: /tmp/tkt500 > klist: You have no tickets cached > -------- > > > I found how to set ok-as-delegate for heimdal how is this done for MIT > kerberos ? > > And how is it done under MS AD ? > > /Mikkel > > > On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote: > >> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote: >> >>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code >>> may provide more information (Cannot allocate memory) >> What OS and what Kerberoslibs do you use? >> Background of this question: >> >> I've seen this errormessage "Cannot allocate memory" >> (and it's solution) in >> >> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> >> >> Achim > > Mikkel Kruse Johnsen > Linet > Ørholmgade 6 st tv > 2200 København N > > Tlf: +45 2128 7793 > email: [EMAIL PROTECTED] > www: http://www.linet.dk > > > ------------------------------------------------------------------------ > > diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c > krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c > --- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c 2006-06-15 > 00:27:54.000000000 +0200 > +++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c 2007-07-18 > 08:59:13.000000000 +0200 > @@ -34,7 +34,7 @@ > { > *minor_status = 0; > > - if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, > mech_set)) { > + if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) { > *mech_set = GSS_C_NO_OID_SET; > *minor_status = ENOMEM; > return(GSS_S_FAILURE); > > > ------------------------------------------------------------------------ > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
