Re: [gssproxy] Kerberos Double Hop
On Mon, 2014-06-16 at 13:49 +0000, Xie, Hugh wrote:
Simo,
Thanks for your response. Do you know example to that support odbc connection string for
the second hop?
Here is an sample for t_sd4u.py (our middle tier are python based).
https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u.py
Two questions:
1. Do I replace service/1 with the HTTP TGT from our window client?
service/1 should be the service name of the service accepting the
connection from a client (the proxying service)
service/2 is the final target
2. For second hop to database, do I replace the S4U2Self step with an
ODBC connection to our database?
The s4u2self step is replaced by whatever inbound connection you get
from your clients.
When clients connect to service/1 they send you a ticket, that ticket is
used as evidence with s4u2proxy to obtain a ticket for service/2
Simo.
--
Simo Sorce * Red Hat, Inc * New York