Problems with Bind-Kerberos-Windows-Linux
Phil Mayers
p.mayers at imperial.ac.uk
Mon Dec 6 14:45:23 UTC 2010
On 12/06/2010 02:20 PM, Jürgen Dietl wrote:
> I have read that there is a special mode called User-To-User Mode. This
> mode enables the client to ask for a service direct without asking for a
That's not quite how u2u works.
> TGT before. I found out that my client use this special user-to-user
> mode. I don’t know why.
No. Your client is using SPNego and offering u2u as a *possible*
mechanism to be negotiated.
> GSS-API Generic Security Service Application Program Interface
> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
> Simple Protected Negotiation
> negTokenInit
> mechTypes: 3 items
> MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
> MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
> MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - *User to User*)
>
> Is this a wanted behavior?
Yes. That's how spnego works. I'm willing to bet the server does not
actually *pick* u2u - but the client can do it, so offers it during
negotiation.
I can't help you with your wider question I'm afraid; I don't really
understand what you're asking. But the user2user stuff is a red herring
and can be ignored.
More information about the bind-users
mailing list