On Thu, May 31, 2018 at 04:50:36PM -0400, Jason Edgecombe wrote: > Hi everyone, > > We're noticing some odd behaviour on our Windows clients where the Windows > clients are not forwarding the TGT to our Linux servers. People can login > to the Linux servers from windows clients, but "klist" shows no tickets > after login. Linux clients forward the TGT just fine. In case it matters, > we just moved our Linux home directories from a NAS with Kerberized SMB to > a Linux NFS server with Kerberized NFS. I've had to disable GSSAPI > authentication in openssh so that windows users can still get tickets on > the remote end.
The use of "GSSAPI authentication" seems to imply that a third-party (i.e., not native WindowS) Kerberos implementation is in use. If so, which implementation, and which credentials cache type? > I have a disagreement with our AD guru on whether or not TGTs are expected > to be forwarded and if that is a security risk. Everything worked fine a > few weeks ago. The Windows behavior has changed from release to release; at some points TGTs in the Windows-native "LSA" cache were retrievable only for users that were not (local) Administrators. At this point the limitation may apply to all users, though; I have lost track. Regardless, the behavior of the Windows LSA should only be relevant if the Windows-native credentials are being used. With a Heimdal or MIT KfW implementation, an external tool could be used to obtain tickets outside of the LSA and use those for GSSAPI authentication+delegation, the same as on Linux. -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
