cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cosign and kerberos
Ok, we have cosign running and authenticating to Active Directory, which does not require a kerberos server to authenticate to (other than the AD). Now, I need to authenticate to another KDC that has different users than in AD. So, i have some questions.
Can I use 2 kdc's in my default realm that don't share the same users or can I setup a cross-realm mapping for 2 kdc's? Any examples would be welcome.
I have a KDC setup on our test machine and can kinit from our cosign machine with myself/admin. However, I cannot kinit cosign. I get a invalid password. Here is how I added cosign from the cosign machine.
add password and verify
ktadd -k /etc/keytab.cosign
As I said, though, I get an invalid password error whenever I try to kinit it from the cosign server. Am I not setting it properly? I've deleted the cosign and re-added, but no use. Also, do I need to add the /etc/krb5.keytab file to the cosign configuration/Apache configuration? Or will it default there? How about the keytab.cosign?
What do the apache configs for kerberos do? I've somewhat confused.
CosignTicketPrefix [ the path to the Kerberos ticket store ]
CosignGetKerberosTickets [ on | off ]
module asks for tgt from cosignd
CosignKerberos524 [ on | off ]
whether you want K5 tgt converted to K4 tgt
CosignKerberosSetupGSS [ on | off ]
setup the enviornment so that other apache modules
that need GSSAPI/Kerberos work. e.g. IMP running under mod_php
CosignGetProxyCookies [ on | off ]
module asks for proxy cookies from cosignd