[krbdev.mit.edu #6902] S4U impersonated credential KRB5_CC_NOT_FOUND
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Fri Apr 15 16:01:32 EDT 2011
When using Active Directory you can set the lifetime for TGTs and service tickets to be different. It turns out that an impersonated TGT is subject to the service ticket lifetime setting. Gss_init_sec_context is reporting KRB5_CC_NOT_FOUND in this case. It turns out that when the in-memory version of the impersonated TGT is created by kg_compose_deleg_cred, its expiration is being set to the expiration of the original TGT used to obtain the impersonated TGT and not to the end time of the impersonated TGT. When gss_init_sec_context searches for the impersonated TGT in the cache, the search fails because it is matching on the wrong end time. This fixed it for us:
Index: src/lib/gssapi/krb5/s4u_gss_glue.c
===================================================================
--- src/lib/gssapi/krb5/s4u_gss_glue.c (revision 24877)
+++ src/lib/gssapi/krb5/s4u_gss_glue.c (working copy)
@@ -218,7 +218,7 @@
cred->usage = GSS_C_INITIATE;
cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
- cred->tgt_expire = impersonator_cred->tgt_expire;
+ cred->tgt_expire = subject_creds->times.endtime;
code = kg_init_name(context, subject_creds->client, NULL, NULL, NULL, 0,
&cred->name);
Arlene Berry
Software Design Engineer
Likewise Software, Inc.
T 425.378.7887 x220 F 425.484.6316 E aberry at likewise.com
15395 SE 30th Place, Suite 140
Bellevue, WA 98007
www.likewise.com
More information about the krb5-bugs
mailing list