Confusion about delegation

Benjamin Kaduk kaduk at
Fri Feb 1 23:12:29 EST 2019

On Fri, Feb 01, 2019 at 02:54:39PM -0500, John Byrne wrote:
> Thanks, this helps a lot.
> I think the reason it appeared to be working for me when I used the wrong
> name HTTP/ is because I incorrectly had that principal in
> the keytab of the other service. An in the second case, where I omitted the
> creds altogether, you are correct, it just authenticated as HTTP/
> and not kerbtestjohn.
> So, I have set ok_to_auth_as_delegate in my KDC for the intermediate
> service principal HTTP/, but now I'm getting this error on
> the step() call:
> Feb 01 14:47:14 localhost.localdomain krb5kdc[6376](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) NOT_ALLOWED_TO_DELEGATE:
> authtime 0,  HTTP/ at EXAMPLE.COM for HTTP/
> at EXAMPLE.COM, Plugin does not support the operation
> I couldn't find any info on this, but I did some reading in the source code
> and it looks like the necessary function 'check_allowed_to_delegate' is
> only defined for the ldap plugin. Have I got that right - I have to use
> ldap to get this feature to work with the krb5 server? Or is there another
> way?

The only in-tree module that supports constrained elegation, yes.  (At
least one out-of-tree module also exists, though presumably you would
already know if that was one you wanted.)


More information about the Kerberos mailing list