Windows KDC - Delegation Option

Ben H bhendin at gmail.com
Fri Apr 25 14:10:35 EDT 2014


Sorry to trudge up a thread a couple of months old - but I believe that the
behavior I'm seeing is directly related to this and instead of coming in
grasping at straws, I decided it would be best to use this as context.

I have a heterogeneous environment with a windows KDC which both my user
and computer accounts exist.

When I authenticate to Unix_01 with my credentials, I receive my TGT and
host TGS.  From this host I 'ssh [-K] Unix_02' and am presented with a TGT
with flags: FfRA.  Unix_02 is then able to request additional tickets to
NFS_01 (where user home directory is stored via NFS4/Krb).

If I authenticate to Windows_01, I receive similar tickets, however my ssh
(putty) connection does not forward tickets to  Unix_02.  This is true even
if I explicitly enable the GSSAPI delegation in Putty.  The only way to get
this to function is to set the "Trust this computer for delegation to any
service" on the Unix_02 computer object in AD and then to request a new
ticket on Windows_01 for host/Unix_02 which will now contain that
ok_as_delegate_flag.

I was baffled by this until I found this thread in my archive and hashed
over the applicable section in 4120.  From what I am reading here it would
appear that this behavior is expected as the Unix systems (MIT) will
forward a ticket regardless of the ok_as_delegate flag.  IOW, Windows
systems require the host to show ok_as_delegate in order to forward a
ticket, whereas Unix systems do not.

Can I have a confirmation that I understand this correctly?

If so, I would like to ask a couple of follow up questions, but I don't
want to waste time if I am still unclear on the root issue.

TIA


On Tue, Feb 11, 2014 at 7:30 AM, Vipul Mehta <vipulmehta.1989 at gmail.com>wrote:

> @Christopher : I know about that option. I don't want to disable delegation
> but i want to know the correct behaviour of MIT Kerberos with KDC Option i
> specified.
>
> @Greg, now it's clear to me.
> Checked the code also. So, if initiator has requested GSS_C_DELEG_FLAG,
> then delegation will always be done and value of "ok-as-delegate" flag in
> service ticket does not matter in that case. Value of "ok-as-delegate" flag
> is important when initiator has not requested GSS_C_DELEG_FLAG but has
> requested GSS_C_DELEG_POLICY_FLAG.
>
> On Tue, Feb 11, 2014 at 2:21 AM, Greg Hudson <ghudson at mit.edu> wrote:
>
> > I believe this option affects the ok-as-delegate ticket flag, which was
> > added in RFC 4120.  Microsoft's Kerberos implementation honors this
> > flag, but Unix implementations do not, as doing so would effectively
> > disable all ticket forwarding in most Unix environments.
> >
> > MIT krb5 and Heimdal did add the GSS_C_DELEG_POLICY_FLAG flag so that
> > applications can choose to delegate tickets only if the ok-as-delegate
> > flag is set on the service ticket.  But it's not clear when a Unix
> > application would want to use that instead of GSS_C_DELEG_FLAG.
> >
>
>
>
> --
> Regards,
> Vipul
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list