Re: Cross Realm Trust with AD - PROCESS_TGS Error

2015-10-20 Thread Sean Elble
Please disregard this. It was a password mismatch after all, in some way, shape, or form. The password used for the trust principal was a strong password with many special characters, and despite recreating the principal numerous times with the password checked and rechecked on each side, it

Re: Cross Realm Trust with AD - PROCESS_TGS Error

2015-10-20 Thread Sean Elble
And one more potentially useful piece of information that may suggest the krbtgt/linux.example@windows.example.com principal doesn't exist: [selble@NW-8504LM ~]$ kinit krbtgt/linux.example@windows.example.com krbtgt/linux.example@windows.example.com's Password: kinit: krb5_get_init_c

Re: Constrained Delegation and PAC : Realm crossover

2015-10-20 Thread Rick van Rein
Hi, >> What I'm left wondering is, if the client's KDC knows what delegations >> are permitted, as is the case with FreeIPA, is it not simpler to pass on >> the additional tickets for smtp/ and imap/ in an AD structure in the >> webmail ticket? > > This is a potential optimization I have been thin

Cross Realm Trust with AD - PROCESS_TGS Error

2015-10-20 Thread Sean Elble
Hi, I'm running into a situation where I have setup a one-way trust with a MIT Kerberos realm (LINUX.EXAMPLE.COM) trusting a AD realm (WINDOWS.EXAMPLE.COM). The krbtgt/linux.example@windows.example.com principal exists in both realms, and I *believe* that the password for the principal is

Re: Constrained Delegation and PAC : Realm crossover

2015-10-20 Thread Simo Sorce
On 20/10/15 05:03, Rick van Rein wrote: > Hi, > > >> There are 2 different approaches for Constrained Delegation, one where >> Access control is applied at the KDC level, and one that relies on the >> receiving service to apply access control. >> >> When using an MS-PAC you have an AD element that

Re: Constrained Delegation and PAC : Realm crossover

2015-10-20 Thread Rick van Rein
Hi, > There are 2 different approaches for Constrained Delegation, one where > Access control is applied at the KDC level, and one that relies on the > receiving service to apply access control. > > When using an MS-PAC you have an AD element that tells you whether the > ticket is the result of d

Re: Constrained Delegation and PAC : Realm crossover

2015-10-20 Thread Rick van Rein
Hi Simo, > I guess I need to ask you for a detailed example of a transaction to > understand what you are aiming to. Gladly, thanks :) An example of use I have in mind is a party owning a domain name, based on externally hosted components from online providers, all secured and linked together