Fwd: S4U2self cross realm?

Weijun Wang weijun.wang at oracle.com
Wed Aug 1 23:15:30 EDT 2012

Re-sent to krbdev.

-------- Original Message --------
Subject: S4U2self cross realm?
Date: Mon, 30 Jul 2012 10:41:38 +0800
From: Weijun Wang <weijun.wang at oracle.com>
To: kerberos at mit.edu
CC: Luke Howard <lukeh at padl.com>

I'm trying S4U2self to impersonate a client in another realm and it does 
not work. Here is my environment:

Realm K1: normal principal u1
Realm K2: normal principal u2
           service host/host.k2, with
              allowed_to_delegate_to *
           another service s2

Now, with default realm being K2

    $ kinit -k host/host.k2
    $ t_s4u u2 at K2 s2 at K2

works fine, but

$ t_s4u u1 at K1 s2 at K2
Protocol transition tests follow

gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code
may provide more information
gss_acquire_cred_impersonate_name: Server not found in Kerberos database

The log of K2 shows host/host.k2 first trying to get a cross-realm TGT
to K1:

Jul 30 10:30:25 960x krb5kdc[8117](info): TGS_REQ (4 etypes {18 17 16
23}) ISSUE: authtime 1343615413, etypes {rep=18 tkt=18
ses=18}, host/host.k2 at K2 for krbtgt/K1 at K2

and in K1's log, it shows

Jul 30 10:30:25 960x krb5kdc[8114](info): TGS_REQ (4 etypes {18 17 16
23}) UNKNOWN_SERVER: authtime 0,  host/host.k2 at K2 for
host/host.k2 at K1, Server not found in Kerberos database

Both realms have correct [domain_realm] settings, and I have no idea why 
the K1 KDC cannot return a referral ticket to K2.


More information about the krbdev mailing list