[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?

On Jun 1, 2007, at 12:00 PM, Markus Moeller wrote:

> "Henry B. Hotz" <hotz@jpl.nasa.gov> wrote in message
> 65054D89-41A4-4CA7-B6A1-9C5059848416@jpl.nasa.gov">news:65054D89-41A4-4CA7-B6A1-9C5059848416@jpl.nasa.gov...
>> On May 31, 2007, at 11:25 AM, Markus Moeller wrote:
>>> I have a AD forest with MM.COM with domains  
>>> DOM1.MM.COM,DOM2.MM.COM  and
>>> SUB.DOM2.MM.COM which all trust each other. To test the   
>>> availability of
>>> service tickets I created the following short program:
>> Any particular reason you didn't use kvno (MIT) and kgetcred  
>> (Heimdal)?
> Not really, only I am not sure if it will achieve what I want.  My  
> final
> goal is to determine easily for a user/application if a domain has  
> trust to
> another. My thought was that the user does a kinit to his domain  
> DOM1 (or an
> application kinit against a keytab) and then tries to get a krbtgt  
> for the
> unknown domain DOM2. If he gets the tgt they have trust if not they  
> don't.
> Does this make sense ?

Sure it does.  You could do that with the utilities I listed too, but  
writing your own code you've got more visibility into what's happening.

I'm sure you realize it could fail for more reasons than just lack of  
a trust relationship also.  I've found I can't get away from these  
little hip-picket test programs when I need to debug things.  Name  
canonicalization and DNS (or NIS) interactions seem especially  
problematic in the real world for me.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu