[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?

To: heimdal-discuss@sics.se, "Markus Moeller" <huaraz@moeller.plus.com>
Subject: Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 1 Jun 2007 13:57:54 -0700
Cc: kerberos@mit.edu
In-Reply-To: <f3pqcl$scn$1@sea.gmane.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <f3n3ug$i6$1@sea.gmane.org> <65054D89-41A4-4CA7-B6A1-9C5059848416@jpl.nasa.gov> <f3pqcl$scn$1@sea.gmane.org>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Jun 1, 2007, at 12:00 PM, Markus Moeller wrote:

>
> "Henry B. Hotz" <hotz@jpl.nasa.gov> wrote in message
> 65054D89-41A4-4CA7-B6A1-9C5059848416@jpl.nasa.gov">news:65054D89-41A4-4CA7-B6A1-9C5059848416@jpl.nasa.gov...
>>
>> On May 31, 2007, at 11:25 AM, Markus Moeller wrote:
>>
>>> I have a AD forest with MM.COM with domains  
>>> DOM1.MM.COM,DOM2.MM.COM  and
>>> SUB.DOM2.MM.COM which all trust each other. To test the   
>>> availability of
>>> service tickets I created the following short program:
>>
>> Any particular reason you didn't use kvno (MIT) and kgetcred  
>> (Heimdal)?
>
> Not really, only I am not sure if it will achieve what I want.  My  
> final
> goal is to determine easily for a user/application if a domain has  
> trust to
> another. My thought was that the user does a kinit to his domain  
> DOM1 (or an
> application kinit against a keytab) and then tries to get a krbtgt  
> for the
> unknown domain DOM2. If he gets the tgt they have trust if not they  
> don't.
>
> Does this make sense ?

Sure it does.  You could do that with the utilities I listed too, but  
writing your own code you've got more visibility into what's happening.

I'm sure you realize it could fail for more reasons than just lack of  
a trust relationship also.  I've found I can't get away from these  
little hip-picket test programs when I need to debug things.  Name  
canonicalization and DNS (or NIS) interactions seem especially  
problematic in the real world for me.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?
  - From: "Markus Moeller" <huaraz@moeller.plus.com>

Prev by Date: Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?
Next by Date: segmentation fault 0.8.1 on CentOS 5
Prev by thread: Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?
Next by thread: segmentation fault 0.8.1 on CentOS 5
Index(es):
- Date
- Thread