[krbdev.mit.edu #2143] Windows mslsa ccache not returningMSgenerated cross realm tickets to gssapi

Jeffrey Altman jaltman at columbia.edu
Fri Jan 23 11:12:30 EST 2004 

So which krb5_32.dll are you currently running with?

The KfW 2.6 Beta 2?  the one from the morning?  or the one from the 
afternoon?

I would like to make sure the one from the morning works.   Then we can 
try to address the fwd_tgt.c issue.

- Jeff


Douglas E. Engert wrote:

>
>Jeffrey Altman via RT wrote:
>
>>This is related to ticket 2139.  Doug has described a problem in which
>>the MS Tickets made accessible to the MIT krb5 gssapi implementation
>>cannot access services via cross realm.  apparently, the ms tickets do
>>not use the same convention for cross realm client identity mapping as
>>MIT krb5 does.  The problem is most likely in the default implementation
>>of the retrieval function which is depended on by the mslsa ccache
>>implementation.
>>
>>This needs to be fixed for 1.3.2.
>>
>
>I have gotten further. I don't think the identity mapping or retrieval method
>is a problem. I think it is the fwd_tgt.c code.  
>
>By removing "default_tkt_enctypes" and "default_tgs_enctypes" in the krb5.ini, 
>gssapi can get forwardable TGTs. I think the problem may be in the fwd_tgt.c 
>where it is trying to guess what etype the host can handle. 
>
>In the following 2 examples the TGT to be forwarded is obtained from the
>MS AD. The hosts are in the MIT realm. 
>
>This is strange because on one host the host principal in the MIT realm
>has only a des-cbc-crc key, and this is what was in the "default_*_enctypes"
>and that is is what is finally returned in the forwarded TGT. But it
>only works if I remove the "default_*_enctypes"
> 
>In the other host the host principal has both a 3des and a des-cbc-crc key,
>yet the forward TGT has RC4-HMAC.  The system is running krb5-1.2.8 and
>does not understand rc4-hmac! (This system needs to be updated to 1.3.x)    
>
>I believe that the fwd_tgt.c code is confused. But there is no
>debugging output, and the gssapi silently continues if delegation
>fails. It may have been confused, because the imported TGT had RC4-HMAC,
>which was not in its list of "default_*_enctypes". If I let Leash
>get the tickets, it ownered the "default_*_enctypes" and gets an initial
>TGT with des-cbc-crc. 
>
>So I am running without the "default_*_enctypes" for now.
>
>
>
>
>>_______________________________________________
>>krb5-bugs mailing list
>>krb5-bugs at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/krb5-bugs
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20040123/fded1db8/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3427 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20040123/fded1db8/attachment.bin

More information about the krb5-bugs mailing list