GSSAPI s4u2proxy with client keytab initiation and Heimdal KDC
ghudson at MIT.EDU
Thu Dec 5 12:29:59 EST 2013
On 12/05/2013 07:33 AM, Alan Braggins wrote:
> I'm trying to use Constrained Delegation in GSS-API, and seem to have
> hit the same "KDC has no support for padata type" problem described here:
> I'm hoping someone has advice on fixing or working around it.
I've figured out what the bug is here (the FAST TGS encoding is
disguising the S4U2Self padata when interpreted by a non-FAST-aware
KDC), and am consulting with the developer of FAST TGS support on how
best to fix it.
I have attached a small patch to disable FAST TGS client support which
you can use as a temporary workaround.
> (On the subject of keytab initiation, it feels odd that I'm using
> krb5_gss_register_acceptor_identity to point to the same keytab as
> KRB5_CLIENT_KTNAME, because s4u2self needs GSS_C_BOTH. Am I missing
> something? Is there an API equivalent of
> krb5_gss_register_acceptor_identity, or only the environment variable?)
gss_acquire_cred_from() will let you specify the client and acceptor
keytab, allowing you to get rid of both
krb5_gss_register_acceptor_identity and the KRB5_CLIENT_KTNAME setting.
> And a followup question on client keytab initiation - it appears that
> if I have no cached credential, then it works. But if I have a cached
> credential that has expired, then gss_acquire_cred is returning me an
> expired credential, not renewing it.
Was the cached credential created with client keytab initiation, or by
hand? I think the refresh machinery only works in the former case,
although we could perhaps make it smarter.
-------------- next part --------------
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index cd56366..1641e8c 100644
@@ -267,8 +267,7 @@ k5_make_tgs_req(krb5_context context,
/* Encode the TGS-REQ. Discard the krb5_data container. */
- ret = krb5int_fast_prep_req(context, fast_state, &req, ap_req_asn1,
- encode_krb5_tgs_req, &tgs_req_asn1);
+ ret = encode_krb5_tgs_req(&req, &tgs_req_asn1);
*req_asn1_out = *tgs_req_asn1;
More information about the Kerberos