Problems with Bind-Kerberos-Windows-Linux

Phil Mayers p.mayers at
Mon Dec 6 14:45:23 UTC 2010

On 12/06/2010 02:20 PM, Jürgen Dietl wrote:
> I have read that there is a special mode called User-To-User Mode. This
> mode enables the client to ask for a service direct without asking for a

That's not quite how u2u works.

> TGT before. I found out that my client use this special user-to-user
> mode. I don’t know why.

No. Your client is using SPNego and offering u2u as a *possible* 
mechanism to be negotiated.

> GSS-API Generic Security Service Application Program Interface
> OID: (SPNEGO - Simple Protected Negotiation)
> Simple Protected Negotiation
> negTokenInit
> mechTypes: 3 items
> MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
> MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
> MechType: 1.2.840.113554. (KRB5 - Kerberos 5 - *User to User*)

> Is this a wanted behavior?

Yes. That's how spnego works. I'm willing to bet the server does not 
actually *pick* u2u - but the client can do it, so offers it during 

I can't help you with your wider question I'm afraid; I don't really 
understand what you're asking. But the user2user stuff is a red herring 
and can be ignored.

More information about the bind-users mailing list