Constrained Delegation error "KDC policy rejects request"
John Byrne
jhnbyrn at gmail.com
Wed Feb 6 21:20:49 EST 2019
I figured it out, and it's working for me now.
For anyone else who's having this issue, there are 2 separate things you
have to set up to allow an intermediate service to impersonate a user:
* the ok_to_auth_as_delegate flag (in kadmin)
* an access control list in ldap.
I wasn't sure if editing ldap directly was the best thing to do, but I
didn't know of any alternative, so I created an ldif file like this:
dn: krbPrincipalName=HTTP/www.example.com at EXAMPLE.COM,cn=EXAMPLE.COM
,cn=krbContainer,dc=example,dc=com
changetype: modify
add: krbAllowedToDelegateTo
krbAllowedToDelegateTo: HTTP/datastore.example.com
You might be able to guess your appropriate ldap dn name based on that
format, but I just found it by doing a search with ldapsearch for my top
level entry, dc=example,dc=com.
After adding the above ldif with ldapmodify, constrained delegation now
works nicely and I can turn it on and off for that intermediate service via
kadmin, using the ok_to_auth_as_delegate flag.
Thanks again to everyone who replied to my other threads on this!
References:
http://kerberos.996246.n3.nabble.com/ACL-for-Constrained-Delegation-td39665.html
-John
On Wed, Feb 6, 2019 at 3:49 PM John Byrne <jhnbyrn at gmail.com> wrote:
> Hi,
>
> I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
> I'm trying to perform constrained delegation. However, I'm getting this
> error from the KDC when the intermediate service calls the step() function
> on the security context: "KDC policy rejects request"
>
> Here's the KDC log:
>
> Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
> authtime 0, HTTP/www.example.com at EXAMPLE.COM for HTTP/
> datastore.example.com at EXAMPLE.COM, KDC policy rejects request
>
> I've set the "ok_to_auth_as_delegate" flag on the intermediate service
> principal HTTP/www.example.com, using kadmin.local (output of getprinc
> below).
>
> Is there something else I need to do to allow this?
>
> Thanks,
> John
>
> PS. here's the output of kadmin.local getprinc command for the
> intermediate service principal:
>
> kadmin.local: getprinc HTTP/www.example.com
> Principal: HTTP/www.example.com at EXAMPLE.COM
> Expiration date: [never]
> Last password change: Wed Feb 06 14:58:41 EST 2019
> Password expiration date: [never]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Wed Feb 06 15:19:15 EST 2019 (root/admin at EXAMPLE.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 2, aes256-cts-hmac-sha1-96
> Key: vno 2, aes128-cts-hmac-sha1-96
> MKey: vno 1
> Attributes: OK_TO_AUTH_AS_DELEGATE
>
More information about the Kerberos
mailing list