GSSAPI s4u2proxy with client keytab initiation and Heimdal KDC

Greg Hudson ghudson at MIT.EDU
Thu Dec 5 12:29:59 EST 2013

On 12/05/2013 07:33 AM, Alan Braggins wrote:
> I'm trying to use Constrained Delegation in GSS-API, and seem to have 
> hit the same "KDC has no support for padata type" problem described here:
> I'm hoping someone has advice on fixing or working around it.

I've figured out what the bug is here (the FAST TGS encoding is
disguising the S4U2Self padata when interpreted by a non-FAST-aware
KDC), and am consulting with the developer of FAST TGS support on how
best to fix it.

I have attached a small patch to disable FAST TGS client support which
you can use as a temporary workaround.

> (On the subject of keytab initiation, it feels odd that I'm using
> krb5_gss_register_acceptor_identity to point to the same keytab as
> KRB5_CLIENT_KTNAME, because s4u2self needs GSS_C_BOTH. Am I missing
> something? Is there an API equivalent of 
> krb5_gss_register_acceptor_identity, or only the environment variable?)

gss_acquire_cred_from() will let you specify the client and acceptor
keytab, allowing you to get rid of both
krb5_gss_register_acceptor_identity and the KRB5_CLIENT_KTNAME setting.

> And a followup question on client keytab initiation - it appears that
> if I have no cached credential, then it works. But if I have a cached
> credential that has expired, then gss_acquire_cred is returning me an
> expired credential, not renewing it.

Was the cached credential created with client keytab initiation, or by
hand?  I think the refresh machinery only works in the former case,
although we could perhaps make it smarter.
-------------- next part --------------
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index cd56366..1641e8c 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -267,8 +267,7 @@ k5_make_tgs_req(krb5_context context,
     /* Encode the TGS-REQ.  Discard the krb5_data container. */
-    ret = krb5int_fast_prep_req(context, fast_state, &req, ap_req_asn1,
-                                encode_krb5_tgs_req, &tgs_req_asn1);
+    ret = encode_krb5_tgs_req(&req, &tgs_req_asn1);
     if (ret)
         goto cleanup;
     *req_asn1_out = *tgs_req_asn1;

More information about the Kerberos mailing list