Need help with s4u test program and constrained delegation

diptivs@gmail.com diptivs at gmail.com
Thu Jun 6 06:21:22 EDT 2013 

After adding KRB5CCNAME the error got changed with s4u test program.

*Steps:*
set KRB5CCNAME=C:\Users\testkrb\AppData\Local\Temp\2\srv--2k8r2-3

kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com

t_s4u p:testkrb at SHIDI02-AD1.COM p:smps/srv-2k8r2-2.ad1.com
 C:\Windows\spssrv4.keytab
*
*
*Error:*
*
*
06:52:38 832 DllMain DLL_PROCESS_ATTACH
06:52:38 832 DllMain DLL_THREAD_ATTACH
06:52:38 2360 DllMain DLL_THREAD_ATTACH
Protocol transition tests follow
-----------------------------------

get_plugin_data_sym(authdata_client_0)
init module "mspac", ad_type 128, flags 00000002
init module "constrained-delegation", ad_type 512, flags 00000008
gssint_mecherrmap_map: mapping 2 at 74749D00=krb5-new to 2: err=0
new map: ((2,2 at 0032E7C8=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74749D00=krb5-new to 100001: err=0
new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74749D0C=krb5-old to 100002: err=0
new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
(100002,0 at 0032E
758=krb5-old))
gssint_mecherrmap_map: mapping 0 at 74749D14=krb5-microsoft to 100003: err=0
new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
(100002,0 at 0032E
758=krb5-old), (100003,0 at 0032E790=krb5-microsoft))
gssint_mecherrmap_map: mapping 0 at 74749D20={ 1 3 6 1 5 2 5 } to 100004: err=0
new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
(100002,0 at 0032E
758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={ 1 3
6 1
5 2 5 }))
gssint_mecherrmap_map: found 0 at 74749D00=krb5-new in map as 100001
gssint_mecherrmap_map: found 0 at 74749D0C=krb5-old in map as 100002
gssint_mecherrmap_map: found 0 at 74749D14=krb5-microsoft in map as 100003
gssint_mecherrmap_map: found 0 at 74749D20={ 1 3 6 1 5 2 5 } in map as 100004
get_plugin_data_sym(service_locator)
06:52:38 2272 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
06:52:38 2272 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638928 at 74749D00=krb5-new to 2529638928:
err=0

new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
(100002,0 at 0032E
758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={ 1 3
6 1
5 2 5 }), (2529638928,2529638928 at 0032E8A8=krb5-new))
gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may
prov
ide more information
krb5_gss_get_error_message(2529638928, p=00000000) -> 7460B6B0/KDC has no
suppor
t for padata type
gss_acquire_cred_impersonate_name: KDC has no support for padata type
06:52:38 832 DllMain DLL_PROCESS_DETACH
*
*
Thank,
Dipti

On Thu, Jun 6, 2013 at 1:16 PM, <diptivs at gmail.com> wrote:

> Hi,
>
> I am trying to test constrained delegation using s4u test [C:\*krb5-1.11.2
> *\src\tests\gssapi\t_s4u.c].
>
> All setups are on windows with Active directory as KDC.
>
> *Scenario used:*
>
> Service1: HTTP/srv-2k8r2-3.ad1.com
> Service2: smps/srv-2k8r2-2.ad1.com
>
> Service1 is expected to do an delegated authentication for user "
> testkrb at AD1.COM" for service2.
>
> *Steps used:*
> *On Active Directory:*
>
>    - Created user named spssrv4 for service1
>       - Associated the service1 account (spssrv4 ) with a its principal
>       name(HTTP/srv-2k8r2-3.ad1.com at AD1.COM), and created a *keytab* file
>       using ktpass as: "ktpass -out c:\spssrv4.keytab -princ HTTP/
>       srv-2k8r2-3.ad1.com at AD1.COM -ptype KRB5_NT_PRINCIPAL -mapuser
>       spssrv4 -pass *****"
>       - Marked the service accounts as "Trusted for Delegation". Right
>       click the service account (spssrv4 ) properties. Click the “Delegation” tab
>       as shown in image below:[image: Inline image 2]
>    - Created user named pssrv2 for service2
>       - Associated the service2 account (pssrv2 ) with a its principal
>       name(smps/srv-2k8r2-2.ad1.com at AD1.COM), and created a *keytab* file
>       using ktpass as: "ktpass -out c:\pssrv2.keytab -princ smps/
>       srv-2k8r2-2.ad1.com at AD1.COM -ptype KRB5_NT_PRINCIPAL -mapuser
>       pssrv2 -pass *****"
>       - Created user named testkrb as a test user. Added this user in
>    Domain Admins group.
>
> *On Client Machine:*
> Logged into the machine (srv-2k8r2-3.ad1.com) as user testkrb.
> On command prompt executed following commands:
>
>    - kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com
>
>
>    - t_s4u.exe p:testkrb at AD1.COM p:smps/srv-2k8r2-2.ad1.comC:\Windows\spssrv4.keytab
>
>
> *Errors:*
> Below is the output on using debug build:
>
> 10:58:18 2284 DllMain DLL_PROCESS_ATTACH
> 10:58:19 2284 DllMain DLL_THREAD_ATTACH
> 10:58:19 2772 DllMain DLL_THREAD_ATTACH
> Protocol transition tests follow
> -----------------------------------
>
> get_plugin_data_sym(authdata_client_0)
> init module "mspac", ad_type 128, flags 00000002
> init module "constrained-delegation", ad_type 512, flags 00000008
> gssint_mecherrmap_map: mapping 2 at 74909D00=krb5-new to 2: err=0
> new map: ((2,2 at 0079E758=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74909D00=krb5-new to 100001: err=0
> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74909D0C=krb5-old to 100002: err=0
> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> (100002,0 at 0079E6E8=krb5-old))
> gssint_mecherrmap_map: mapping 0 at 74909D14=krb5-microsoft to 100003: err=0
> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft))
> gssint_mecherrmap_map: mapping 0 at 74909D20={ 1 3 6 1 5 2 5 } to 100004:
> err=0
> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
> (100004,0 at 0079E800={ 1 3 6 15 2 5 }))
> gssint_mecherrmap_map: found 0 at 74909D00=krb5-new in map as 100001
> gssint_mecherrmap_map: found 0 at 74909D0C=krb5-old in map as 100002
> gssint_mecherrmap_map: found 0 at 74909D14=krb5-microsoft in map as 100003
> gssint_mecherrmap_map: found 0 at 74909D20={ 1 3 6 1 5 2 5 } in map as 100004
> 10:58:29 2284   Running on Windows NT using secure mode
> 10:58:29 2284 find_server Looking for server; ccs_request_IfHandle:0x528CA8
> 10:58:29 2284 authenticate_server entry
> 10:58:29 2284   Server authenticated!
> 10:58:29 2284 ccapi_connect is listening ...
> 10:58:29 2232 DllMain DLL_THREAD_ATTACH
> 10:58:29 2284   Server FOUND!
> 10:58:29 2772 ccapi_listen (null)!
> 10:58:29 2428 DllMain DLL_THREAD_ATTACH
> 10:58:29 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> 10:58:29 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> 10:58:29 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
> 03:46:19 2428 DllMain DLL_THREAD_DETACH
> 03:46:19 2232 DllMain DLL_THREAD_DETACH
> 03:46:19 2284 cci_context_change_time_sync noticed server changed
> (server_was_running = 0; server_is_running = 1; g_change_time = 0;
> g_change_time_offset = 1
> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
> krb5_gss_save_error_info(39756044, ctx=0079F0C0)
> krb5_gss_save_error_info(39756044, ctx=0079F0C0) saving: Credential cache
> is empty
> gss_krb5_save_error_string_nocopy(39756044, Credential cache is empty)
> p=003B5958 SUCCESS
> 03:46:19 1068 DllMain DLL_THREAD_ATTACH
> 03:46:19 2516 DllMain DLL_THREAD_ATTACH
> gssint_mecherrmap_map: mapping 39756044 at 74909D00=krb5-new to 39756044:
> err=0
> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
> (100004,0 at 0079E800={ 1 3 6 15 2 5 }), (39756044,39756044 at 0079E838
> =krb5-new))
> gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code
> may provide more information
> krb5_gss_get_error_message(39756044, p=003B5958) FOUND! ->
> 003B29F0/Credential cache is empty
> gss_acquire_cred_impersonate_name: Credential cache is empty
> 03:46:19 2284 DllMain DLL_PROCESS_DETACH
>
>
> I am not sure what is going wrong here.
>
> *Actual usage and problem:*
> *Working configuration:*
> In our product setup all is going well if the delegation setup is as below:
>
>    - Mark the service1 accounts as "*Trusted for Delegation*". Right
>    click the service account (spssrv4) properties. Click the “Delegation”
>    tab. Further  Select the second option ”Trust this user for delegation
>    to any service(Kerberos only)”
>
>
> *Not Working configuration:*
> But if this setting is changed to:
>
>    - Mark the service1 accounts as "*Trusted for Delegation*". Right
>    click the service account (spssrv4) properties. Click the “Delegation”
>    tab. Further 1)    Select the third option “Trust this user for
>    delegation to specified service”. Then select “Use Kerberos only” radio
>    button and add the corresponding service principal name (smps/
>    srv-2k8r2-2.ad1.com at AD1.COM)
>
> *Error:*
> This fails with as error as below:
> "Failed to create delegated GSSAPI token on behalf of HTTP/
> srv-2k8r2-3.ad1.com at AD1.COM for smps at 2k8r2-2.AD1.com: Minor
> Status=100008, Major Status=851968, Message=Unknown code FF 168"
>
>
> Any suggestions would be of great help. thanks.
>
> Thank you
> Regards,
> Dipti
>



-- 
Have a nice day!
Regards,
Dipti
http://in.linkedin.com/in/diptivs

More information about the krbdev mailing list