Kerberos and "forwarded" TGS-REQ -- help!

Derrick schommer at gmail.com
Wed Aug 25 16:31:05 EDT 2004 

Hello, and thanks in advance for anyone that can help me out here.

In my desperation I believe I've read every Krb5 MIT doc, and source
but I cannot put two and two together to get my answer.

My situation is that I am building a client Kerberos authentication
subsystem for an application that will speak "Microsoft CIFS."  I am
speaking to a remote server that is asking for "User to User"
authentication within its CIFS "extended security" blob.  I know I
need a) a service ticket to talk to that server and b) a forwarded
ticket to allow that server to work on behalf of me.  A typical
windows 2000 client works against this device just fine.  So I know it
can be done :-)

Secondly, I have my service ticket and can talk to all kinds of
servers that do not require "User to User" authentication (just
standard stuff).  I know of two ways to get a forwarded TGS:

krb5_fwd_tgt_creds()  - which I cannot find any documentation on
except a one line comment in the krb5 sources.  Yet the etheral trace
yields similar information when compared to a windows 2000 client
asking for the same stff.

get_credentials() - using a "KRB5_GC_USER_USER" defined constant. 
This one works too, sometimes, depending on what arguments I pass it
:-)

Which should I really use?  I've had much more luck with the first
one, because the second one expects me to have a cred->second_ticket
assigned to the data structure.  I can put my original service ticket
in there, but I'm not sure that's what I am really supposed to do, and
I haven't found anyone else that has had this same problem.  So I'm
working with the fwd_tgt_creds() option because I do not receive as
many errors from the function call.  :-)

This returns to me a krb5_data * object which I presume is a
forwardable ticket (at least Ethereal seems to show the request going
out and a reply coming back).

Now, I need to some how get that krb5_data (my forwarded ticket) into
a request that I can put in a CIFS "Session setup."  My instints say
that krb5_mk_req_extended() should be used to do this, which is the
function call I use to send my standard service ticket to a remote
host (win2000 for example).  However when I attempted this I received
the BADMSG error (probably because the krb_data * returned from the
fwd_tgt_cred() is not formatted as an AP-RESP or something?).

My disconnect is trying to figure out where I should be putting my new
forwardable ticket, and where I should put my original service ticket.

When watching a trace from a Windows 2000 client I seem to see that
the ticket data within the SessionSetup is 2000 bytes rather then
roughly 1000 bytes (which would explain service ticket (1,188 bytes or
so) + forwarded ticket (1088 bytes or so).  However the bulk of that
data seems to be in the "authenticator data" field of the ethereal
trace.

Is there any krb5 calls I need to make (or better understand) to merge
my two tickets into one "blob" and generate an AP-REQ to forward off
to my "User to User" CIFS server?

Thanks again for any help you may provide.

DS

More information about the Kerberos mailing list