Confusion about delegation

Benjamin Kaduk kaduk at mit.edu
Fri Feb 1 23:12:29 EST 2019


On Fri, Feb 01, 2019 at 02:54:39PM -0500, John Byrne wrote:
> Thanks, this helps a lot.
> 
> I think the reason it appeared to be working for me when I used the wrong
> name HTTP/www.example.com is because I incorrectly had that principal in
> the keytab of the other service. An in the second case, where I omitted the
> creds altogether, you are correct, it just authenticated as HTTP/
> www.example.com and not kerbtestjohn.
> 
> So, I have set ok_to_auth_as_delegate in my KDC for the intermediate
> service principal HTTP/www.example.com, but now I'm getting this error on
> the step() call:
> 
> Feb 01 14:47:14 localhost.localdomain krb5kdc[6376](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
> authtime 0,  HTTP/www.example.com at EXAMPLE.COM for HTTP/
> datastore.example.com at EXAMPLE.COM, Plugin does not support the operation
> 
> I couldn't find any info on this, but I did some reading in the source code
> and it looks like the necessary function 'check_allowed_to_delegate' is
> only defined for the ldap plugin. Have I got that right - I have to use
> ldap to get this feature to work with the krb5 server? Or is there another
> way?

The only in-tree module that supports constrained elegation, yes.  (At
least one out-of-tree module also exists, though presumably you would
already know if that was one you wanted.)

-Ben


More information about the Kerberos mailing list