[krbdev.mit.edu #2143] Windows mslsa ccache not returning MSgenerated cross realm tickets to gssapi

Douglas E. Engert deengert at anl.gov
Fri Jan 23 10:34:30 EST 2004 


Jeffrey Altman via RT wrote:
> 
> This is related to ticket 2139.  Doug has described a problem in which
> the MS Tickets made accessible to the MIT krb5 gssapi implementation
> cannot access services via cross realm.  apparently, the ms tickets do
> not use the same convention for cross realm client identity mapping as
> MIT krb5 does.  The problem is most likely in the default implementation
> of the retrieval function which is depended on by the mslsa ccache
> implementation.
> 
> This needs to be fixed for 1.3.2.

I have gotten further. I don't think the identity mapping or retrieval method
is a problem. I think it is the fwd_tgt.c code.  

By removing "default_tkt_enctypes" and "default_tgs_enctypes" in the krb5.ini, 
gssapi can get forwardable TGTs. I think the problem may be in the fwd_tgt.c 
where it is trying to guess what etype the host can handle. 

In the following 2 examples the TGT to be forwarded is obtained from the
MS AD. The hosts are in the MIT realm. 

This is strange because on one host the host principal in the MIT realm
has only a des-cbc-crc key, and this is what was in the "default_*_enctypes"
and that is is what is finally returned in the forwarded TGT. But it
only works if I remove the "default_*_enctypes"
 
In the other host the host principal has both a 3des and a des-cbc-crc key,
yet the forward TGT has RC4-HMAC.  The system is running krb5-1.2.8 and
does not understand rc4-hmac! (This system needs to be updated to 1.3.x)    

I believe that the fwd_tgt.c code is confused. But there is no
debugging output, and the gssapi silently continues if delegation
fails. It may have been confused, because the imported TGT had RC4-HMAC,
which was not in its list of "default_*_enctypes". If I let Leash
get the tickets, it ownered the "default_*_enctypes" and gets an initial
TGT with des-cbc-crc. 

So I am running without the "default_*_enctypes" for now.



> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krb5-bugs mailing list