[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Was a smartcard used to get the ticket?

Phil Fisher wrote:
>> I re-added back gss_krb5_get_tkt_flags that used to exists, it fell  
>> out with the mech-glue.
>> Love
> Thanks for that. Using release 1.0.1 I am able to call this function. 
> Unfortunately, I have not yet seen the hw_authent bit set.
> I am running my application on a Linux machine which has a smartcard 
> reader attached. My KDC is a Windows 2003 Active Directory. 
> Authentication with kinit works fine, but 'klist -f' only shows the 
> flags 'IA'.
> Douglas  Engert wrote elsewhere in this thread:
>> I know Windows AD will set the hw-authent bit, if you use a smart card,

Well, I tried it again with using a Smart card on XP to AD 2003, and it did
not set the bit. I could have sworn I have seen it set it the past.  Sorry
if I have mislead you.

>> but not sure if Heimdal KDC will set it, or if the Heimdal klist will 
>> show it.
>> (The hw-authent could also imply an OTP or other hardware device, and not
>> a smartcard.)
>> But is is also not clear if the KDC will only set the hw-authent bit if
>> if the KDC has the requires-hw-auth set on the user entry. (I don't have
>> a heimdal KDC.)
> I therefore set the 'Smart card is required for interactive login' 
> checkbox in the user's account properties, but this hasn't made any 
> difference.
> Is there any other configuration that I need to do for Active Directory? 
> I've not been able to find any documentation on this.
> Thanks again.
> Phil
> _________________________________________________________________
> Get Pimped! FREE emoticon packs from Windows Live -  
> http://www.pimpmylive.co.uk


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444