Thank you Ken for the valuable feedback.
I'm using latest version V1.21 with its default backend DB. After the test, if
all works, I will try the combination MIT KDC + OpenLDAP then.
There are not so much available materials I can refer to like my case.
Sometimes I really doubt Windows S4U API may be not completely compatible with
MIT KDC, but based on current investigation, I still can't draw any
conclusions. That's why I post comments here.
Regards
Jianjun Li
-----Original Message-----
From: Ken Hornstein <k...@cmf.nrl.navy.mil>
Sent: Thursday, November 9, 2023 3:17 AM
To: JianJun Li <j...@rocketsoftware.com>
Cc: kerberos@mit.edu
Subject: Re: Question about Windows S4U support
EXTERNAL EMAIL
I am DEFINITELY not an expert in S4U* nor Windows APIs, but I have looked into
this a BIT and I can give you some thoughts.
>Now we wants to switch from Windows AD to MIT KDC. Currently windows
>can be authenticated by MIT KDC without any problem but Windows API
>LSALogonUser() in our application fails.
It should be noted that up front that there are some caveats to MIT Kerberos
S4U support. The specific one that I am aware of is that you cannot use the
db2 database (the default) as the KDC backend; you need to use the LDAP KDB
module and configure a special attribute called "krbAllowedToDelegateTo" to
configure a service principal to permit S4U2Self. I am not sure this is
relevant to this discussion though.
>Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes
>{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
>UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0,
>host/win11client.mylab....@mylab.com<mailto:host/win11client.mylab.com@
>MYLAB.COM> for host\/win11client.mylab....@mylab.com, Server not found
>in Kerberos database
It's important to understand that INTERALLY Kerberos principals are represented
as a sequence of one or more strings and a realm. So while you may see a
principal in the form of "host/win11cli...@mylab.com"
that's just the user representation. Really that's encoded on the wire as the
strings "host" and "win11client", and the realm MYLAB.COM. If MIT Kerberos is
displaying that as "host\/win11cli...@mylab.com", then that means it's getting
ONE string for that principal that contains "host/win11client" (the '/' is the
traditional separator for strings in a Kerberos principal). I have no idea why
that is happening, but that suggests to me that there is some problem on the
client side.
--Ken
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■
Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support:
https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences -
http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of
Rocket Software, Inc. All unauthorized use, disclosure or distribution is
prohibited. If you are not the intended recipient, please notify Rocket
Software immediately and destroy all copies of this communication. Thank you.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
