Re: Different Heimdal/MIT behaviour of krb5_get_credentials ? - Kerberos

This is a discussion on Re: Different Heimdal/MIT behaviour of krb5_get_credentials ? - Kerberos ; On May 31, 2007, at 11:25 AM, Markus Moeller wrote: > I have a AD forest with MM.COM with domains DOM1.MM.COM,DOM2.MM.COM > and > SUB.DOM2.MM.COM which all trust each other. To test the > availability of > service tickets I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?

  1. Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?


    On May 31, 2007, at 11:25 AM, Markus Moeller wrote:

    > I have a AD forest with MM.COM with domains DOM1.MM.COM,DOM2.MM.COM
    > and
    > SUB.DOM2.MM.COM which all trust each other. To test the
    > availability of
    > service tickets I created the following short program:


    Any particular reason you didn't use kvno (MIT) and kgetcred (Heimdal)?

    To properly debug the problem you probably want to look at the kdc
    logs to see what actually got requested as compared to what's
    available. You can also get that info from a tcpdump/snoop, but it's
    not as easy.

    ------------------------------------------------------------------------
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?


    On Jun 1, 2007, at 12:00 PM, Markus Moeller wrote:

    >
    > "Henry B. Hotz" wrote in message
    > news:65054D89-41A4-4CA7-B6A1-9C5059848416@jpl.nasa.gov...
    >>
    >> On May 31, 2007, at 11:25 AM, Markus Moeller wrote:
    >>
    >>> I have a AD forest with MM.COM with domains
    >>> DOM1.MM.COM,DOM2.MM.COM and
    >>> SUB.DOM2.MM.COM which all trust each other. To test the
    >>> availability of
    >>> service tickets I created the following short program:

    >>
    >> Any particular reason you didn't use kvno (MIT) and kgetcred
    >> (Heimdal)?

    >
    > Not really, only I am not sure if it will achieve what I want. My
    > final
    > goal is to determine easily for a user/application if a domain has
    > trust to
    > another. My thought was that the user does a kinit to his domain
    > DOM1 (or an
    > application kinit against a keytab) and then tries to get a krbtgt
    > for the
    > unknown domain DOM2. If he gets the tgt they have trust if not they
    > don't.
    >
    > Does this make sense ?


    Sure it does. You could do that with the utilities I listed too, but
    writing your own code you've got more visibility into what's happening.

    I'm sure you realize it could fail for more reasons than just lack of
    a trust relationship also. I've found I can't get away from these
    little hip-picket test programs when I need to debug things. Name
    canonicalization and DNS (or NIS) interactions seem especially
    problematic in the real world for me.

    ------------------------------------------------------------------------
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread