Marcello Mezzanotti wrote: > I just did :) > > the problem was the keytab, i created using linux command "net ads > keytab create", > > i tested both linux ssh client and putty > (PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty > client, worked, but it didnt created/forwared my ticket) and all > worked fine.
Did you get forwardable tickets using the kinit -f option? > > Is "Kerberos for Windows" necessary for Windows/Putty? There are several versions of PuTTY that support the GSS protocol. But on Windows, there are two APIs that can be used, the GSS-API provided by the KfW and the Microsoft SSPI built into Windows. Each of these uses its own ticket cache. Most version of PuTTY will use the SSPI and thus expect the user to have logged into a windows domain which gets tickets during the login. These tickets are stored in the Microsoft LSA. (runas.exe can also be used to get tickets and run a program with a different LSA.) Versions of PuTTY that use the KfW provided gssapi32.dll can be used on Windows machines that are not part of a Windows domain, or where the KDC is not a Windows domain controller, i.e. an MIT or Heimdal KDC. The official PuTTY site in their SVN, uses SSPI. (Bob Ramussen says they may have an unofficial release now.) The Quest, version also use SSPI. I believe the Certify version uses SSPI but have not tried it. The KfW developers, secure-endpoints.com, have a PuTTY that uses gssapi32.dll. I have not tried this one either. The http://v_t_m.sweb.cz/ version (which you have found) can use either SSPI or gssapi32.dll, as it will test if tickets are available in the MSLSA or via KfW. (I wrote that mod.) But its for PuTTY 0.58 and does not have GSSAPIKeyExchange. One other issue with multiple PuTTY versions on a single windows machine is they all save the Sessions in the same registry location: HKCU\Software\SimonTatham\PuTTY\Sessions, but they use different keys for the GSS flags: v_t_m.sweb-cz: AuthGSSAPI, GSSAPIFwdTGT PuTTY(svn): AuthGSSAPI, gssapiFwd Quest: AuthSSPI, SSPIFwdTGT, TryGSSKEX Certify: (Don't know) So if you try multiple clients, use different session names for each as some versions will fail if there are unknown key is the Session. This whole situation is unfortunate in that the open source community had gotten way ahead of the PuTTY developers (4 years at least) and the PuTTY developers are just stating to catch up. So your choice of which PuTTY windows client you use depends mostly on how you obtain your tickets. KfW can import tickets from the Microsoft LSA that can help in some situations. > > Thank you all for help. > > Thank you, > Marcello > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
