[krbdev.mit.edu #2143] Windows mslsa ccache not returning MSgeneratedcross realm tickets to gssapi

Douglas E. Engert deengert at anl.gov
Fri Jan 23 11:56:50 EST 2004 


> Jeffrey Altman wrote:
> 
> So which krb5_32.dll are you currently running with?
> 
> The KfW 2.6 Beta 2?  the one from the morning?  or the one from the afternoon?

The afternoon, I believe. I will install the morning one again just to make sure. 

> 
> I would like to make sure the one from the morning works.   Then we can try to address the fwd_tgt.c issue.

If I upgrade the one host in question to krb5-1.3.x and don't use the "default_*_enctypes"
I believe it works. The KRB5.ANL.GOV KDC is still at 1.2.8. I am willing to update
it, but would like to use 1.3.2 to avoid multiple updates.  

The point being that the release notes for KfW may want to warn against 
using the "default_*_enctypes, and may require krb5-1.3.x on hosts? 

> 
> - Jeff
> 
> Douglas E. Engert wrote:
> 
> >
> > Jeffrey Altman via RT wrote:
> >
> >> This is related to ticket 2139.  Doug has described a problem in which
> >> the MS Tickets made accessible to the MIT krb5 gssapi implementation
> >> cannot access services via cross realm.  apparently, the ms tickets do
> >> not use the same convention for cross realm client identity mapping as
> >> MIT krb5 does.  The problem is most likely in the default implementation
> >> of the retrieval function which is depended on by the mslsa ccache
> >> implementation.
> >>
> >> This needs to be fixed for 1.3.2.
> >>
> >
> > I have gotten further. I don't think the identity mapping or retrieval method
> > is a problem. I think it is the fwd_tgt.c code.
> >
> > By removing "default_tkt_enctypes" and "default_tgs_enctypes" in the krb5.ini,
> > gssapi can get forwardable TGTs. I think the problem may be in the fwd_tgt.c
> > where it is trying to guess what etype the host can handle.
> >
> > In the following 2 examples the TGT to be forwarded is obtained from the
> > MS AD. The hosts are in the MIT realm.
> >
> > This is strange because on one host the host principal in the MIT realm
> > has only a des-cbc-crc key, and this is what was in the "default_*_enctypes"
> > and that is is what is finally returned in the forwarded TGT. But it
> > only works if I remove the "default_*_enctypes"
> >
> > In the other host the host principal has both a 3des and a des-cbc-crc key,
> > yet the forward TGT has RC4-HMAC.  The system is running krb5-1.2.8 and
> > does not understand rc4-hmac! (This system needs to be updated to 1.3.x)
> >
> > I believe that the fwd_tgt.c code is confused. But there is no
> > debugging output, and the gssapi silently continues if delegation
> > fails. It may have been confused, because the imported TGT had RC4-HMAC,
> > which was not in its list of "default_*_enctypes". If I let Leash
> > get the tickets, it ownered the "default_*_enctypes" and gets an initial
> > TGT with des-cbc-crc.
> >
> > So I am running without the "default_*_enctypes" for now.
> >
> >
> >
> >
> >> _______________________________________________
> >> krb5-bugs mailing list
> >> krb5-bugs at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
> >>
> >
> >

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krb5-bugs mailing list