help needed for testing s4u constrained delegation

Santosh Kumar santoshjeergi at gmail.com
Tue Jun 12 12:35:51 EDT 2018


Testing the constrained delagation, to fetch service ticket on behalf of
user

could anyone please help where to look to debug logs, what are
prerequisites to use this?


I downloaded and compiled on linux host, updated /etc/krb5.conf and
/etc/hosts , anything missing.


setup:
Domain1: EXCHSRV2016.COM                       [kcduser - delegate user]
Child Domain1: CHILD1.EXCHSRV2016.COM  [ newuser  - enduser]


[santosh at archjeergi gssapi]$ pwd

/home/santosh/opensource/krb5-1.15.3/src/tests/gssapi
[santosh at archjeergi gssapi]$ ./t_s4u p:newuser at child1.exchsrv2016.com
p:http/win2k12r2.exchsrv2016.com ./keytabfile.keytab

gss_acquire_cred: Unspecified GSS failure.  Minor code may provide more
information

gss_acquire_cred: No Kerberos credentials available (default cache:
FILE:/tmp/krb5cc_1000)

/etc/krb5.conf

[libdefaults]

 default_realm = EXCHSRV2016.COM

 forwardable = true


[realms]

 EXCHSRV2016.COM = {

  kdc = ad2k12.exchsrv2016.com:88

  kpasswd_server = 10.209.114.213

  default_domain = exchsrv2016.com

 }


[domain_realm]

 .exchsrv2016.com = EXCHSRV2016.COM

 exchsrv2016.com = EXCHSRV2016.COM


Generated keytab where exchange server is hosted as below:
[image: image.png]


Thanks much
Santosh


More information about the Kerberos mailing list