Question about TGT forwarding

Benjamin Kaduk kaduk at mit.edu
Thu May 31 18:33:00 EDT 2018


On Thu, May 31, 2018 at 04:50:36PM -0400, Jason Edgecombe wrote:
> Hi everyone,
> 
> We're noticing some odd behaviour on our Windows clients where the Windows
> clients are not forwarding the TGT to our Linux servers. People can login
> to the Linux servers from windows clients, but "klist" shows no tickets
> after login. Linux clients forward the TGT just fine. In case it matters,
> we just moved our Linux home directories from a NAS with Kerberized SMB to
> a Linux NFS server with Kerberized NFS. I've had to disable GSSAPI
> authentication in openssh so that windows users can still get tickets on
> the remote end.

The use of "GSSAPI authentication" seems to imply that a third-party
(i.e., not native WindowS) Kerberos implementation is in use.  If
so, which implementation, and which credentials cache type?

> I have a disagreement with our AD guru on whether or not TGTs are expected
> to be forwarded and if that is a security risk. Everything worked fine a
> few weeks ago.

The Windows behavior has changed from release to release; at some
points TGTs in the Windows-native "LSA" cache were retrievable only
for users that were not (local) Administrators.  At this point the
limitation may apply to all users, though; I have lost track.

Regardless, the behavior of the Windows LSA should only be relevant
if the Windows-native credentials are being used.  With a Heimdal or
MIT KfW implementation, an external tool could be used to obtain
tickets outside of the LSA and use those for GSSAPI
authentication+delegation, the same as on Linux.

-Ben


More information about the Kerberos mailing list