[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition

> Step 3:
> -------
> $ ~/ws/krb-lib/heimdal-0.8.1/kuser/kgetcred
> --delegation-credential-cache=FILE:/tmp/pt.cc --forwardable cifs/ 
> cifs-server
> I found that problem is that the KDCOptions in the KRB_REQ_BODY are
> insufficient even with the --forwardable option. I had to hack the  
> code to
> enable the 'Renewable', 'Constrained Delegation' and 'Canonicalize'  
> bits in
> the KDCOptions to get it working. After this change, KDC gave me  
> the service
> ticket to the cifs service on behalf of the impersonated user.

I only seem to need Constrained Delegation, however, but there is the  
if its bit 14 or bit 16. bit 16 doesnt work, but bit 14 seems to be  
claimed for anonymous support...