Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

Carson Gaspar carson at taltos.org
Thu Oct 27 12:13:22 EDT 2022 

Another option is to use PKINIT to get TGTs, with whatever your desired 
AuthZ is on the CA to limit which users can be impersonated. I've 
implemented this for other reasons, but it probably won't get open 
sourced until mid-late next year (and does a bunch of stuff you probably 
won't want/need).

On 10/26/2022 11:34 PM, Jonathan Calmels via Kerberos wrote:
> Hi,
>
> We have a Linux cluster fully kerberized including its own MIT Kerberos KDC which we control.
> Users authenticate to it through a one-way trust with an Active Directory. After being authenticated, users submit their workload with their TGT and the scheduler will forward it to the nodes it allocated (i.e. unconstrained delegation).
> So far everything is working as expected.
>
>
> Now the problem is that we need to support the same workflow from a CI/CD webservice.
> Users authenticate to the CI/CD webservice through SAML and will trigger some kind of job to be scheduled. The scheduler knows the user's principal but doesn't have a TGT associated with it.
>
> Basically, the scheduler needs a way to impersonate users' TGTs to start their workload.
> How does one go about that? given that:
>
>
> - We can't use SPNEGO on the CI/CD webservice or request anything from the user there. It has to be regular SAML and we don't control user interactions.
> - We can't use constrained delegation (aka. S4U) because the scheduler needs the user's TGT not a service ticket. Users are free to use their TGT however they want from the allocated nodes.
>
>
> So far, the only hack we can think of is replicating the AD users into the MIT KDC and writing some kind of GSS service that would issue TGTs for those (given the proper service ticket).
> Something like:
>
>    1.  The scheduler does protocol transition with the AD UPN it got from the CI/CD
>    2.  The scheduler contacts this GSS service with the resulting service ticket
>    3.  The GSS service converts the UPN from the AD realm to its MIT realm counterpart
>    4.  If everything checks out, it sends back a TGT for the user (this might involve some unconventional calls to libkadm5)
>    5.  The scheduler forwards this TGT as usual
>
>
> Is there a cleaner alternative? Ideally, one that doesn't involve replicating users.
>
> If not, is libgssapi and likadm5 the best way to implement it or would something like a plugin module be better suited?
>
> Thanks for any insight
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list