Re: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Isaac Boukris
On Tue, Jul 14, 2020 at 3:55 PM Jonathan Towles wrote: > > I got it to work if I reference the UPN in the command. > > The application is doing AS-Requests. Note that S4U2Self would also use AS-REQ for the client-referrals step (when enterprise names are used), and then switch to TGS-REQ for the

Re: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Isaac Boukris
On Tue, Jul 14, 2020 at 3:37 PM Jonathan Towles wrote: > > I'm working with an application inside of a Docker container that uses GSS to > do Kerberos Constrained Delegation. Constrained Delegation (S4U2Proxy) is a way to get a service ticket, but the client name is determined in a preceding ste

RE: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Jonathan Towles
Isaac Boukris Sent: Tuesday, July 14, 2020 9:54 AM To: Jonathan Towles Cc: Bryan Mesich ; kerberos@mit.edu Subject: Re: Kerberos Database Sync with Sub-Domains On Tue, Jul 14, 2020 at 3:37 PM Jonathan Towles wrote: > > I'm working with an application inside of a Docker container that u

RE: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Jonathan Towles
erberos@mit.edu Subject: Re: Kerberos Database Sync with Sub-Domains On Tue, Jul 14, 2020 at 3:22 PM Jonathan Towles wrote: > > So by using enterprise principal names, you can essentially point it at the > parent domain KDC, and it can get a ticket for even users in the sub-domains? Clie

Re: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Isaac Boukris
On Tue, Jul 14, 2020 at 3:22 PM Jonathan Towles wrote: > > So by using enterprise principal names, you can essentially point it at the > parent domain KDC, and it can get a ticket for even users in the sub-domains? Client-referrals are used to locate the realm, see details in RFC 6806. > That's

RE: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Jonathan Towles
m) 978-609-5545 -Original Message- From: Isaac Boukris Sent: Tuesday, July 14, 2020 8:38 AM To: Jonathan Towles Cc: Bryan Mesich ; kerberos@mit.edu Subject: Re: Kerberos Database Sync with Sub-Domains On Tue, Jul 14, 2020 at 2:23 PM Jonathan Towles wrote: > > Hi Bryan, > &g

Re: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Isaac Boukris
g in the sub-domains > > I'm not sure if you can actually make #2 work or not. When I have tried, I > get user not found in the database issues. > > Jon Towles > CTO, Synterex > (m) 978-609-5545 > > > > -Original Message----- > From: Bryan Mesich &g

RE: Kerberos Database Sync with Sub-Domains

2020-07-14 Thread Jonathan Towles
not sure if you can actually make #2 work or not. When I have tried, I get user not found in the database issues. Jon Towles CTO, Synterex (m) 978-609-5545 -Original Message- From: Bryan Mesich Sent: Monday, July 13, 2020 11:01 PM To: Jonathan Towles Cc: kerberos@mit.edu Subject: Re: Ke

Re: Kerberos Database Sync with Sub-Domains

2020-07-13 Thread Bryan Mesich
On Mon, Jul 13, 2020 at 06:58:39PM +, Jonathan Towles wrote: > Hi All, Hello, > I wanted to ask a question that I have been unable to get clear information > on. > > Is it technically or functionally possible to get a Kerberos ticket for > someone in the sub-domain against the parent doma

Kerberos Database Sync with Sub-Domains

2020-07-13 Thread Jonathan Towles
Hi All, I wanted to ask a question that I have been unable to get clear information on. Is it technically or functionally possible to get a Kerberos ticket for someone in the sub-domain against the parent domain Example: User j...@boston.synterex.com wants to g