Regarding User Delegation
Narendra Kumar S.S
ssnkumar at gmail.com
Wed Feb 16 23:46:49 MST 2011
Hi,
I am facing a problem with delegated user authentication and seek help
in resolving the issue.
I have used Heimdal API's in my code. And I am using Windows 2003 R2 as
my DC/AD.
I have configured a delegated user, and using this in my code to login
to AD.
I get the tickets on behalf of the another user (say user1) for the
cifs service.
From the TGS REP I got the ticket with flags (ok-as-delegate, pre-auth,
renewable) for the user user1,
and I build the authenticator using krb5_make_req_extended ( ) .
When I send this authenticator and ticket encapsulated in GSS-API blob
in session setup Andx request,
I get the error as "KRB5KBC_AP_ERR_MODIFIED" from the server.
The code is tested with single stand alone user and it works fine.
My domainname is mytest.com.
The delegated user is deleg_user.
The hostname of my DC/AD is test-dc.
My spn's on the DC/AD looks as below:
C:\>setspn -l deleg_user
Registered ServicePrincipalNames for
CN=deleg_user,CN=Users,DC=mytest,DC=com:
cifs/test-dc.mytest.com
cifs/test-dc
C:\>setspn -l test-dc
Registered ServicePrincipalNames for CN=TEST-DC,OU=Domain
Controllers,DC=mytest,DC=com:
cifs/mytest.com
Please let me know, how to get this working?
Regards,
Narendra
More information about the samba-technical
mailing list