[krbdev.mit.edu #2735] KfW 2.6.5 fails to copy all the ticket flags for initial TGT from MS login

DEEngert@anl.gov via RT rt-comment at krbdev.mit.edu
Thu Oct 7 17:45:53 EDT 2004 

KfW-2.6.5.20040917 on Windows 2000 does not copy all the ticket flags
for the initial TGT. Only the the initial flag appears to get copied.

The MS klist shows 4 flags set: Forwardable, Preauth, Initial and Proxiable.
The MIT klist against the krb5cc shows only the initial.

A problem arises when GSSAPI tries to get a delegated credential.
It get the ticket but does not request a forwardable ticket. So the
ticket when forwarded is not forwardable as expected.

In fwd_tgt.c the forwardable bit is copied, and possibly turned off,
but never on.

    161      kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
    162
    163      if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */
    164        kdcoptions &= ~(KDC_OPT_FORWARDABLE);


MS klist shows:
C:\>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: b17783
DomainName: ANL.GOVâ™ 
TargetDomainName: ANL.GOVâ™ 
AltTargetDomainName: ANL.GOVâ™ 
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:100:8048
StartTime: 10/7/2004 13:53:56
EndTime: 10/7/2004 23:53:56
RenewUntil: 10/14/2004 13:53:56
TimeSkew: 10/14/2004 13:53:56


MIT klist shows:
C:\Program Files\MIT\Kerberos\bin>klist -f
Ticket cache: API:krb5cc
Default principal: b17783 at ANL.GOV

Valid starting     Expires            Service principal
10/07/04 13:53:57  10/07/04 23:53:56  krbtgt/KRB5.ANL.GOV at ANL.GOV
         renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:53:56  10/07/04 23:53:56  krbtgt/ANL.GOV at ANL.GOV
         renew until 10/14/04 13:53:56, Flags: I
10/07/04 13:54:54  10/07/04 23:53:56  afs/anl.gov at ANL.GOV
         renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:53:57  10/07/04 23:53:56  host/deet22.ctd.anl.gov at KRB5.ANL.GOV
         renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:55:25  10/07/04 23:53:56  afs/anl.gov at ANL.GOV
         Flags: A

Using kinit -f or Leash does get a ticket with the flags:

C:\Program Files\MIT\Kerberos\bin>klist -f
Ticket cache: API:krb5cc
Default principal: b17783 at ANL.GOV

Valid starting     Expires            Service principal
10/07/04 15:50:00  10/08/04 01:50:00  krbtgt/ANL.GOV at ANL.GOV
         Flags: FIA


-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krb5-bugs mailing list