Kerberos Constrained Delegation and Credential Caching

Simo Sorce simo at
Tue Mar 12 18:02:38 EDT 2013

On Tue, 2013-03-12 at 00:23 +0000, Nebergall, Christopher wrote:
> Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?   In the example krb5-1.10.3/src/tests/gssapi/t_s4u.c at near the end of contrainedDelegate function after the gss_init_sec_context tried to copy the delegated_cred_handle to a credentials cache.    I've NEVER seen the a service ticket for the end service make to the cache file so I'm not sure which cred cache I should be using.
> I've tried 1) just using the default cache
> 2) with gss_store_cred with
> memset(&elements_stored, 0, sizeof(elements_stored));
> memset(&cred_usage_stored, 0, sizeof(cred_usage_stored));
> major = gss_store_cred(&minor, delegated_cred_handle, GSS_C_BOTH, GSS_C_NULL_OID, 1, 1, &elements_stored, &cred_usage_stored);
> 3) or with gss_krb5_copy_ccache
> Nothing shows a cached the service ticket.   I'm not even certain which prinicipal I should initialize the ccache with - the impersonator prinicipal, or the user principal name?
> I've also tried various methods of reading the new cache back in and then re-running constrainedDelegate but I often get a "gss_init_sec_context: Matching credential not found"
> My goal is to put this code into mod_auth_kerb with mod_proxy but I'm unclear how to make it not hit the KDC with every request if I can't get a credential's cache saved, and reloaded between requests.

Red Hat has already sent upstream patches to support s4u2proxy
authentication in mod_auth_kerb, you may want to check this thread:

(they are not in the upstream code yet apparently nobody picked them


Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list