question about obtaining a proxy ticket from another realm

Peter Djalaliev peter.djalaliev at gmail.com
Thu Jan 22 16:51:46 EST 2009


Hello,

We are trying to make a client in realm R1 get a proxy ticket for a
server in realm R2.  We are using the MIT Kerberos distribution.

Here is how we are trying to do this:
 - obtain a proxiable initial TGT using kinit
 - a client in R1 calls krb5_get_credentials() to follow the realm
chain and get a service ticket for the server in R2.  The function
stores the service ticket, as well as all intermediate credentials in
the credential cache (ccache).
 - the client retrieves from the ccache the TGT for R2's KDC, e.g for
krbtgt/R2 at R1.  This TGT is proxiable.
 - the client uses that TGT to call krb5_get_cred_via_tkt() with
KDC_OPT_PROXY in the KDC request options to request from R2's KDC a
proxy ticket for the server in R2.

Does this sound like a correct way to do it?  I couldn't really find
any documentation about how to do get proxy tickets from another
realm.

The last step listed above fails.  The error message that I get on
R2's KDC is:
TGS_REQ (7 etypes {18 17 16 23  3 2}) 192.168.100.3: CAN'T PROXY TGT:
authtime 1232658130, peterdj at R1 for http/webserver at R2, KDC can't
fulfill requested option

The code that generates the error condition is in validate_tgs_request
() in src/kdc/kdc_util.c:

/* can not proxy ticket granting tickets */
if (isflagset(request->kdc_options, KDC_OPT_PROXY) &&
   (!request->server->data ||
   request->server->data[0].length != KRB5_TGS_NAME_SIZE ||
   memcmp(request->server->data[0].data, KRB5_TGS_NAME,
KRB5_TGS_NAME_SIZE))) {
     *status = "CAN'T PROXY TGT";
     return KDC_ERR_BADOPTION;
}

KRB5_TGS_NAME is #define-d as "krbtgt" and KRB5_TGS_NAME_SIZE is
#define-d as 6.

I'm afraid I don't understand these error checks.  This piece of code
seems to check if KDC_OPT_PROXY is set in the KDC request and if the
first portion of the server principal name is "krbtgt".  If it is not
"krbtgt", the KDC assumes that the client is requesting a proxy TGT
and returns an error.

The server principal for this KDC request is http/webserver at R2.
Shouldn't this be the request for a service ticket for http/
webserver?  Why is the KDC treating this request as a request for a
TGT?

Any help would be appreciated.

Best Regards,
Peter Djalaliev



More information about the Kerberos mailing list