GSSAPI s4u2proxy with client keytab initiation and Heimdal KDC
Alan Braggins
alan.braggins at riverbed.com
Thu Dec 5 07:33:46 EST 2013
I'm trying to use Constrained Delegation in GSS-API, and seem to have
hit the same "KDC has no support for padata type" problem described here:
https://groups.google.com/forum/#!msg/comp.protocols.kerberos/SrNyMS9Arfo/7sMq5ygMqcEJ
I'm hoping someone has advice on fixing or working around it.
1.10.6 works for me. 1.11.3 doesn't. KRB5_TRACE output is below.
I want to use 1.11, because I want to use client keytab initiation.
(1.10.6 I tested with k5start, and if necessary that's probably
a usable workaround.)
Long term I need to interoperate with Microsoft Active Directory, but
in the short term I'm using Heimdal's KDC because having kadmin
support --constrained-delegation was easier than setting up LDAP to
support Constrained Delegation with MIT kadmin.
(My Heimdal KDC is a standard Ubuntu install, using
heimdal-server 1.6~git20120403+dfsg1-2ubuntu0.13.04.1)
I'm using GSS-API rather than Kerberos directly partly because
http://web.mit.edu/kerberos/krb5-current/doc/appdev/gssapi.html
recommends it, and partly because (at least in the short term)
I want to use it from a Java servlet, and using
https://github.com/cconlon/kerberos-java-gssapi
was easier than writing a wrapper for Kerberos.
I'm using MIT GSS-API because Heimdal doesn't have
gss_acquire_cred_impersonate_name.
(On the subject of keytab initiation, it feels odd that I'm using
krb5_gss_register_acceptor_identity to point to the same keytab as
KRB5_CLIENT_KTNAME, because s4u2self needs GSS_C_BOTH. Am I missing
something? Is there an API equivalent of
krb5_gss_register_acceptor_identity, or only the environment variable?)
Here's KRB5_TRACE for the gss_acquire_cred_impersonate_name call:
[8574] 1386246315.742459: Getting credentials abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM using ccache
FILE:/tmp/krb5cc_1459
[8574] 1386246315.742545: Retrieving abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM from FILE:/tmp/krb5cc_1459
with result: -1765328243/Matching credential not found
[8574] 1386246315.742573: Getting credentials
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM using ccache FILE:/tmp/krb5cc_1459
[8574] 1386246315.742620: Retrieving
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM from FILE:/tmp/krb5cc_1459 with result:
0/Success
[8574] 1386246315.742675: Get cred via TGT
krbtgt/EXAMPLE.COM at EXAMPLE.COM after requesting
PROXY/abraggins-00.example.com at EXAMPLE.COM (canonicalize on)
[8574] 1386246315.742708: Generated subkey for TGS request: rc4-hmac/F2BC
[8574] 1386246315.742747: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[8574] 1386246315.742830: Encoding request body and padata into FAST request
[8574] 1386246315.742915: Sending request (1174 bytes) to EXAMPLE.COM
[8574] 1386246315.742961: Resolving hostname abraggins-0a.example.com
[8574] 1386246315.744402: Sending initial UDP request to dgram
10.62.165.234:88
[8574] 1386246315.747257: Received answer from dgram 10.62.165.234:88
[8574] 1386246315.748145: Response was not from master KDC
[8574] 1386246315.748237: Decoding FAST response
[8574] 1386246315.748299: Got cred; -1765328368/KDC has no support for
padata type
[8574] 1386246315.748601: Getting credentials abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM using ccache
FILE:/tmp/krb5cc_1459
[8574] 1386246315.748648: Retrieving abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM from FILE:/tmp/krb5cc_1459
with result: -1765328243/Matching credential not found
[8574] 1386246315.748662: Getting credentials
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM using ccache FILE:/tmp/krb5cc_1459
[8574] 1386246315.748697: Retrieving
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM from FILE:/tmp/krb5cc_1459 with result:
0/Success
[8574] 1386246315.748722: Get cred via TGT
krbtgt/EXAMPLE.COM at EXAMPLE.COM after requesting
PROXY/abraggins-00.example.com at EXAMPLE.COM (canonicalize on)
[8574] 1386246315.748743: Generated subkey for TGS request: rc4-hmac/2EC0
[8574] 1386246315.748764: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[8574] 1386246315.748820: Encoding request body and padata into FAST request
[8574] 1386246315.748881: Sending request (1174 bytes) to EXAMPLE.COM
[8574] 1386246315.748911: Resolving hostname abraggins-0a.example.com
[8574] 1386246315.750417: Sending initial UDP request to dgram
10.62.165.234:88
[8574] 1386246315.752817: Received answer from dgram 10.62.165.234:88
[8574] 1386246315.753968: Response was not from master KDC
[8574] 1386246315.754032: Decoding FAST response
[8574] 1386246315.754072: Got cred; -1765328368/KDC has no support for
padata type
[8574] 1386246315.754432: Getting credentials abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM using ccache
FILE:/tmp/krb5cc_1459
[8574] 1386246315.754475: Retrieving abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM from FILE:/tmp/krb5cc_1459
with result: -1765328243/Matching credential not found
[8574] 1386246315.754490: Getting credentials
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM using ccache FILE:/tmp/krb5cc_1459
[8574] 1386246315.754525: Retrieving
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM from FILE:/tmp/krb5cc_1459 with result:
0/Success
[8574] 1386246315.754550: Get cred via TGT
krbtgt/EXAMPLE.COM at EXAMPLE.COM after requesting
PROXY/abraggins-00.example.com at EXAMPLE.COM (canonicalize on)
[8574] 1386246315.754568: Generated subkey for TGS request: rc4-hmac/9A5E
[8574] 1386246315.754589: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[8574] 1386246315.754651: Encoding request body and padata into FAST request
[8574] 1386246315.754711: Sending request (1174 bytes) to EXAMPLE.COM
[8574] 1386246315.754734: Resolving hostname abraggins-0a.example.com
[8574] 1386246315.756345: Sending initial UDP request to dgram
10.62.165.234:88
[8574] 1386246315.758775: Received answer from dgram 10.62.165.234:88
[8574] 1386246315.759869: Response was not from master KDC
[8574] 1386246315.759936: Decoding FAST response
[8574] 1386246315.760105: Got cred; -1765328368/KDC has no support for
padata type
[8574] 1386246315.761117: Getting credentials abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM using ccache
FILE:/tmp/krb5cc_1459
[8574] 1386246315.761335: Retrieving abraggins at EXAMPLE.COM ->
PROXY/abraggins-00.example.com at EXAMPLE.COM from FILE:/tmp/krb5cc_1459
with result: -1765328243/Matching credential not found
[8574] 1386246315.761396: Getting credentials
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM using ccache FILE:/tmp/krb5cc_1459
[8574] 1386246315.761571: Retrieving
PROXY/abraggins-00.example.com at EXAMPLE.COM ->
krbtgt/EXAMPLE.COM at EXAMPLE.COM from FILE:/tmp/krb5cc_1459 with result:
0/Success
[8574] 1386246315.761712: Get cred via TGT
krbtgt/EXAMPLE.COM at EXAMPLE.COM after requesting
PROXY/abraggins-00.example.com at EXAMPLE.COM (canonicalize on)
[8574] 1386246315.761820: Generated subkey for TGS request: rc4-hmac/E074
[8574] 1386246315.761938: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[8574] 1386246315.762181: Encoding request body and padata into FAST request
[8574] 1386246315.762465: Sending request (1174 bytes) to EXAMPLE.COM
[8574] 1386246315.762570: Resolving hostname abraggins-0a.example.com
[8574] 1386246315.764055: Sending initial UDP request to dgram
10.62.165.234:88
[8574] 1386246315.766566: Received answer from dgram 10.62.165.234:88
[8574] 1386246315.767546: Response was not from master KDC
[8574] 1386246315.767616: Decoding FAST response
[8574] 1386246315.767776: Got cred; -1765328368/KDC has no support for
padata type
And a KDC log:
2013-12-05T12:29:35 KDC started
2013-12-05T12:29:58 Got TGS FAST request
2013-12-05T12:29:58 TGS-REQ PROXY/abraggins-00.example.com at EXAMPLE.COM
from IPv4:10.62.165.224 for PROXY/abraggins-00.example.com at EXAMPLE.COM
[canonicalize, proxiable, forwardable]
2013-12-05T12:29:58 TGS-REQ authtime: 2013-12-05T12:25:15 starttime:
2013-12-05T12:29:58 endtime: 2013-12-06T12:25:15 renew till: unset
2013-12-05T12:29:58 sending 688 bytes to IPv4:10.62.165.224
2013-12-05T12:29:58 Got TGS FAST request
2013-12-05T12:29:58 TGS-REQ PROXY/abraggins-00.example.com at EXAMPLE.COM
from IPv4:10.62.165.224 for PROXY/abraggins-00.example.com at EXAMPLE.COM
[canonicalize, proxiable, forwardable]
2013-12-05T12:29:58 TGS-REQ authtime: 2013-12-05T12:25:15 starttime:
2013-12-05T12:29:58 endtime: 2013-12-06T12:25:15 renew till: unset
2013-12-05T12:29:58 sending 688 bytes to IPv4:10.62.165.224
2013-12-05T12:29:58 Got TGS FAST request
2013-12-05T12:29:58 TGS-REQ PROXY/abraggins-00.example.com at EXAMPLE.COM
from IPv4:10.62.165.224 for PROXY/abraggins-00.example.com at EXAMPLE.COM
[canonicalize, proxiable, forwardable]
2013-12-05T12:29:58 TGS-REQ authtime: 2013-12-05T12:25:15 starttime:
2013-12-05T12:29:58 endtime: 2013-12-06T12:25:15 renew till: unset
2013-12-05T12:29:58 sending 688 bytes to IPv4:10.62.165.224
2013-12-05T12:29:58 Got TGS FAST request
2013-12-05T12:29:58 TGS-REQ PROXY/abraggins-00.example.com at EXAMPLE.COM
from IPv4:10.62.165.224 for PROXY/abraggins-00.example.com at EXAMPLE.COM
[canonicalize, proxiable, forwardable]
2013-12-05T12:29:58 TGS-REQ authtime: 2013-12-05T12:25:15 starttime:
2013-12-05T12:29:58 endtime: 2013-12-06T12:25:15 renew till: unset
2013-12-05T12:29:58 sending 688 bytes to IPv4:10.62.165.224
--
Alan Braggins
More information about the Kerberos
mailing list