KfW-2.6 beta2 in a mixed realm environment, wrong client principal

Douglas E. Engert deengert at anl.gov
Tue Jan 20 22:49:34 EST 2004

> Jeffrey Altman wrote:
> The new ms2mit uses the "MSLSA:" ccache interface.  It takes the contents of the
> MSLSA: ccache and copies them into the API:krb5cc ccache.  (or whatever name
> the default ccache has)
> Therefore, it does copy all of the tickets.  If Windows 2000 reports the tickets
> incorrectly then they will be placed into the ccache incorrectly. 

I agree. But from the KERB_EXTERNAL_NAME structure, it says the client name
is "relative", which seams strange, as I would expect it to be a full
principal. So some code may be adding the wrong realm to the client username.

> I could modify
> the ms2mit code to restrict the copy to the single TGT. However, direct users
> of the MSLSA ccache will still have the same problem.

Thats not clear. It might be that a request to the LSA cache for a client 
correct ticket, it may be a problem with reading all tickets, and the
the "relative" client name is returned instead.  

> So if it can be addressed it should be addressed in the ccache code directly.

Yes, whereever the code to copy all tickets. A trace of the clientname would help.

> Or in the GSSAPI code.

I dont think itis a gssapi problem. It is a problem of the ticket in the cache
being labeled wrong, so when the gssapi looks for a ticket, its not found.

I have not tried tracing anything yet, I did not look at the source, only ran
the installer. 
> One question is why is the GSSAPI code picking up the wrong ticket?

It could be the ticket was added to the cache with the wrong name, so
it is not found. 

> What is the name of the principal with which you login?  

b17783 at ANL.GOV in the windows realm. 

>The windows realm or the mit realm?

The host is in the MIT KRB5.ANL.GOV 

> Jeffrey Altman
> Douglas E. Engert wrote:
> > There may be a bug/misunderstanding in W2K which is carried forward
> > into KfW. It looks like the MS code may be reporting the wrong realm
> > of the client when returning a ticket with KERB_RETRIEVE_TKT_RESPONSE maybe
> > returning the wrong realm.
> >
> > The KERB_EXTERNAL_TICKET structure says:
> > ClientName
> >   KERB_EXTERNAL_NAME structure containing the client name in the
> >   ticket. This name is relative to the current domain.
> >
> > The clue to the problem may be "relative to the current domain"
> > what ever that means.
> >
> >
> > We have two realms, ANL.GOV is a W2K domain, and KRB5.ANL.GOV
> > is using a MIT 1.2.8 KDC.
> >
> > I logon using Windows login to the local workstation that is
> > listed as host/deet22.ctd.anl.gov at KRB5.ANL.GOV
> >
> > This causes a TGT and cross realm TGT to be obtained.
> > But notice below that the principal listed for the cross realm
> > TGT and the host ticket is listed as b17783 at KRB5.ANL.GOV, rather
> > then what is actually in the ticket of b17783 at ANL.GOV
> >
> >
> >
> >  C:\Program Files\MIT\Kerberos\bin>klist -e
> > Ticket cache: API:krb5cc
> > Default principal: b17783 at ANL.GOV
> >
> > Valid starting     Expires            Service principal
> > 01/20/04 16:11:50  01/21/04 02:11:50  krbtgt/KRB5.ANL.GOV at ANL.GOV
> >         for client b17783 at KRB5.ANL.GOV, renew until 01/27/04 16:11:50
> >         Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
> >
> > 01/20/04 16:11:50  01/21/04 02:11:50  krbtgt/ANL.GOV at ANL.GOV
> >         renew until 01/27/04 16:11:50, Etype (skey, tkt): etype 0, ArcFour with
> > HMAC/md5
> > 01/20/04 16:11:57  01/21/04 02:11:50  host/deet22.ctd.anl.gov at KRB5.ANL.GOV
> >         for client b17783 at KRB5.ANL.GOV, renew until 01/27/04 16:11:50
> >         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5
> >
> > The Windows kerbtray.exe lists the client name correctly in the krbtgt/ANL.GOV at ANL.GOV
> > and the krbtgt/KRB5.ANL.GOV at ANL.GOV tickets but not in the
> > host/deet22.ctd.anl.gov at KRB5.ANL.GOV ticket.
> >
> > The KRB5.ANL.GOV KDC logs show the client name correctly in the host ticket as
> > b17783 at ANL.GOV
> >
> > This was not a problem with the older ms2mit, which only copied the single TGT.
> > But KfW appears to copy both TGTs.
> >
> > Some GSSAPI programs when trying to use these tickets fail. If I use Leash and
> > give it the b17783 at ANL.GOV and password, the gssapi applications work.
> >
> > So the interpretation of "relative to the current domain" may need to be looked at closely.
> >
> >
> >


 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list