Question on validating Kerberos Ticket (From one machine to another)

first last swtest9 at
Tue Jun 26 18:00:49 EDT 2007

> first last <swtest9 at> writes:

> > I have a client system, both linux and windows that has a valid ticket
> > (TGT) in its cache.  I take that ASN.1 encoded ticket and move it to
> > another machine which then wants to know if the client machine has an
> > authorized user.  What I want to do is to validate that ticket.  Is
> > there anything that would return authorized, expired, invalid, etc. when
> > I present the ticket to the KDC?

> Er, if you want to authenticate a client to another machine, you need to
> either use GSSAPI or use krb5_mk_req and friends.

> > Or is there any way to take that ASN.1 encoded ticket (client machine)
> > and stick it into the cache (on the other machine) and then use that to
> > perform the TGS exchange (on the other machine)?

> Yes, you authenticate to the other machine and then do ticket forwarding.
> The preferred way to do this is via GSSAPI, using GSSAPI's privilege delegation capability.

Hmmm.  I did try a couple of things with krb5_mk_req_ext and I managed to get it to spit out a buffer, but I am not sure if that is what is needed. It seems like it is doing an AP transaction when I don't have an AP server.

By the way, I am using MIT KRB 5 1.6.1 and Windows LSA functions.

Here is the scenario.  I want to piggyback onto the authentication mechanism in place.  For my purposes, Windows Active Directory. So here is the picture which assumes authenticated Windows client:

 Windows Client         Linux Client       Active Directory (KDC)
 --------------         ------------       ----------------------
     |                      |                      |
     |--------------------->|                      |
     | Transfer credentials |                      |
     |                      |                      |
     |                      |--------------------->|
     |                      | Present credentials  |
     |                      |                      |
     |                      |<---------------------|
     |                      |     Valid/Invalid    |

Initially, I defined credentials as the encoded portion of the ticket response (of the krbtgt ticket) which I believe is the TGT.
I tried getting a user to user ticket on the linux side using the encoded ticket and the session key, but since I did not have credentials (krb5_creds) in my cache it failed.

I suppose that I have three solutions:
1. Transfer the service key to linux in order to decode the TGT. If I can decode it and perform some validity checks then the person who gave me this ticket is "okay".  I suppose it would be the service key for krbtgt on AD.
2. Setup a "service" on the KDC and from the linux client use the TGT (from the windows client) to obtain a service ticket. (I think that is what the user to user is, but it had that problem with the missing tickets in the local credentials cache)
3. Learn GSSAPI

Basically, what I need is to just present some form of credentials (encoded ticket/credentials/or some combination) to the KDC asking if the credentials are valid, nothing more.

I appreciate the help given.


Building a website is a piece of cake. 
Yahoo! Small Business gives you all the tools to get online.

More information about the krbdev mailing list