Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)
Carson Gaspar
carson at taltos.org
Thu Oct 27 12:13:22 EDT 2022
Another option is to use PKINIT to get TGTs, with whatever your desired
AuthZ is on the CA to limit which users can be impersonated. I've
implemented this for other reasons, but it probably won't get open
sourced until mid-late next year (and does a bunch of stuff you probably
won't want/need).
On 10/26/2022 11:34 PM, Jonathan Calmels via Kerberos wrote:
> Hi,
>
> We have a Linux cluster fully kerberized including its own MIT Kerberos KDC which we control.
> Users authenticate to it through a one-way trust with an Active Directory. After being authenticated, users submit their workload with their TGT and the scheduler will forward it to the nodes it allocated (i.e. unconstrained delegation).
> So far everything is working as expected.
>
>
> Now the problem is that we need to support the same workflow from a CI/CD webservice.
> Users authenticate to the CI/CD webservice through SAML and will trigger some kind of job to be scheduled. The scheduler knows the user's principal but doesn't have a TGT associated with it.
>
> Basically, the scheduler needs a way to impersonate users' TGTs to start their workload.
> How does one go about that? given that:
>
>
> - We can't use SPNEGO on the CI/CD webservice or request anything from the user there. It has to be regular SAML and we don't control user interactions.
> - We can't use constrained delegation (aka. S4U) because the scheduler needs the user's TGT not a service ticket. Users are free to use their TGT however they want from the allocated nodes.
>
>
> So far, the only hack we can think of is replicating the AD users into the MIT KDC and writing some kind of GSS service that would issue TGTs for those (given the proper service ticket).
> Something like:
>
> 1. The scheduler does protocol transition with the AD UPN it got from the CI/CD
> 2. The scheduler contacts this GSS service with the resulting service ticket
> 3. The GSS service converts the UPN from the AD realm to its MIT realm counterpart
> 4. If everything checks out, it sends back a TGT for the user (this might involve some unconventional calls to libkadm5)
> 5. The scheduler forwards this TGT as usual
>
>
> Is there a cleaner alternative? Ideally, one that doesn't involve replicating users.
>
> If not, is libgssapi and likadm5 the best way to implement it or would something like a plugin module be better suited?
>
> Thanks for any insight
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list