Need help with s4u test program and constrained delegation

diptivs@gmail.com diptivs at gmail.com
Thu Jun 6 10:17:53 EDT 2013 

With previous error my understanding is its is not able to get the
testkrb's authentication data. So tried as below with some further error:

*Steps:*
set KRB5CCNAME=C:\Users\testkrb\AppData\Local\Temp\2\testkrb

kinit testkrb at SHIDI02-AD1.COM

t_s4u --spnego  p:testkrb at AD1.COM
p:smps/srv-2k8r2-2.-ad1.comC:\Windows\spssrv4.keytab

*Error:*

10:38:40 2968 DllMain DLL_PROCESS_ATTACH
10:38:40 2968 DllMain DLL_THREAD_ATTACH
10:38:40 2936 DllMain DLL_THREAD_ATTACH
Protocol transition tests follow
-----------------------------------

get_plugin_data_sym(authdata_client_0)
init module "mspac", ad_type 128, flags 00000002
init module "constrained-delegation", ad_type 512, flags 00000008
gssint_mecherrmap_map: mapping 2 at 74669D00=krb5-new to 2: err=0
new map: ((2,2 at 007AEB80=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74669D00=krb5-new to 100001: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74669D0C=krb5-old to 100002: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old))
gssint_mecherrmap_map: mapping 0 at 74669D14=krb5-microsoft to 100003: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft))
gssint_mecherrmap_map: mapping 0 at 74669D20={ 1 3 6 1 5 2 5 } to 100004: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }))
gssint_mecherrmap_map: found 0 at 74669D00=krb5-new in map as 100001
gssint_mecherrmap_map: found 0 at 74669D0C=krb5-old in map as 100002
gssint_mecherrmap_map: found 0 at 74669D14=krb5-microsoft in map as 100003
gssint_mecherrmap_map: found 0 at 74669D20={ 1 3 6 1 5 2 5 } in map as 100004
get_plugin_data_sym(service_locator)
10:39:24 504 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:39:24 504 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D00=krb5-new to 2529638919:
err=0

new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new))
get_plugin_data_sym(service_locator)
10:39:37 984 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:39:37 984 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D0C=krb5-old to 100005: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old))
get_plugin_data_sym(service_locator)
10:39:55 2932 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:39:55 2932 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D14=krb5-microsoft to
100006: err
=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft))
get_plugin_data_sym(service_locator)
10:40:03 360 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:40:03 360 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D20={ 1 3 6 1 5 2 5 } to
100007:
err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft),
(100007,2529638919 at 003E
1D18={ 1 3 6 1 5 2 5 }))
gssint_mecherrmap_map: mapping 0 at 746695B0=spnego to 100008: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft),
(100007,2529638919 at 003E
1D18={ 1 3 6 1 5 2 5 }), (100008,0 at 003E1D50=spnego))
gssint_mecherrmap_map: found 0 at 74669D00=krb5-new in map as 100001
gssint_mecherrmap_map: found 0 at 74669D0C=krb5-old in map as 100002
gssint_mecherrmap_map: found 0 at 74669D14=krb5-microsoft in map as 100003
gssint_mecherrmap_map: found 0 at 74669D20={ 1 3 6 1 5 2 5 } in map as 100004
gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may
prov
ide more information
10:40:57 648 gss_acquire_cred_impersonate_name:
DllMain DLL_THREAD_ATTACH
10:40:57 2968 DllMain DLL_PROCESS_DETACH


Thanks,
Dipti

On Thu, Jun 6, 2013 at 3:51 PM, <diptivs at gmail.com> wrote:

> After adding KRB5CCNAME the error got changed with s4u test program.
>
> *Steps:*
> set KRB5CCNAME=C:\Users\testkrb\AppData\Local\Temp\2\srv--2k8r2-3
>
> kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com
>
> t_s4u p:testkrb at SHIDI02-AD1.COM p:smps/srv-2k8r2-2.ad1.com
>  C:\Windows\spssrv4.keytab
> *
> *
> *Error:*
> *
> *
> 06:52:38 832 DllMain DLL_PROCESS_ATTACH
> 06:52:38 832 DllMain DLL_THREAD_ATTACH
> 06:52:38 2360 DllMain DLL_THREAD_ATTACH
> Protocol transition tests follow
> -----------------------------------
>
> get_plugin_data_sym(authdata_client_0)
> init module "mspac", ad_type 128, flags 00000002
> init module "constrained-delegation", ad_type 512, flags 00000008
> gssint_mecherrmap_map: mapping 2 at 74749D00=krb5-new to 2: err=0
> new map: ((2,2 at 0032E7C8=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74749D00=krb5-new to 100001: err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74749D0C=krb5-old to 100002: err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old))
> gssint_mecherrmap_map: mapping 0 at 74749D14=krb5-microsoft to 100003: err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft))
> gssint_mecherrmap_map: mapping 0 at 74749D20={ 1 3 6 1 5 2 5 } to 100004:
> err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={ 1
> 3 6 1
> 5 2 5 }))
> gssint_mecherrmap_map: found 0 at 74749D00=krb5-new in map as 100001
> gssint_mecherrmap_map: found 0 at 74749D0C=krb5-old in map as 100002
> gssint_mecherrmap_map: found 0 at 74749D14=krb5-microsoft in map as 100003
> gssint_mecherrmap_map: found 0 at 74749D20={ 1 3 6 1 5 2 5 } in map as 100004
> get_plugin_data_sym(service_locator)
> 06:52:38 2272 DllMain DLL_THREAD_ATTACH
> get_plugin_data_sym(service_locator)
> 06:52:38 2272 DllMain DLL_THREAD_DETACH
> gssint_mecherrmap_map: mapping 2529638928 at 74749D00=krb5-new to 2529638928:
> err=0
>
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={ 1
> 3 6 1
> 5 2 5 }), (2529638928,2529638928 at 0032E8A8=krb5-new))
> gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code
> may prov
> ide more information
> krb5_gss_get_error_message(2529638928, p=00000000) -> 7460B6B0/KDC has no
> suppor
> t for padata type
> gss_acquire_cred_impersonate_name: KDC has no support for padata type
> 06:52:38 832 DllMain DLL_PROCESS_DETACH
> *
> *
> Thank,
> Dipti
>
> On Thu, Jun 6, 2013 at 1:16 PM, <diptivs at gmail.com> wrote:
>
>> Hi,
>>
>> I am trying to test constrained delegation using s4u test [C:\*
>> krb5-1.11.2*\src\tests\gssapi\t_s4u.c].
>>
>> All setups are on windows with Active directory as KDC.
>>
>> *Scenario used:*
>>
>> Service1: HTTP/srv-2k8r2-3.ad1.com
>> Service2: smps/srv-2k8r2-2.ad1.com
>>
>> Service1 is expected to do an delegated authentication for user "
>> testkrb at AD1.COM" for service2.
>>
>> *Steps used:*
>> *On Active Directory:*
>>
>>    - Created user named spssrv4 for service1
>>       - Associated the service1 account (spssrv4 ) with a its principal
>>       name(HTTP/srv-2k8r2-3.ad1.com at AD1.COM), and created a *keytab*file using ktpass as: "ktpass
>>       -out c:\spssrv4.keytab -princ HTTP/srv-2k8r2-3.ad1.com at AD1.COM-ptype KRB5_NT_PRINCIPAL -mapuser spssrv4 -pass *****"
>>       - Marked the service accounts as "Trusted for Delegation". Right
>>       click the service account (spssrv4 ) properties. Click the “Delegation” tab
>>       as shown in image below:[image: Inline image 2]
>>    - Created user named pssrv2 for service2
>>       - Associated the service2 account (pssrv2 ) with a its principal
>>       name(smps/srv-2k8r2-2.ad1.com at AD1.COM), and created a *keytab* file
>>       using ktpass as: "ktpass -out c:\pssrv2.keytab -princ smps/
>>       srv-2k8r2-2.ad1.com at AD1.COM -ptype KRB5_NT_PRINCIPAL -mapuser
>>       pssrv2 -pass *****"
>>       - Created user named testkrb as a test user. Added this user in
>>    Domain Admins group.
>>
>> *On Client Machine:*
>> Logged into the machine (srv-2k8r2-3.ad1.com) as user testkrb.
>> On command prompt executed following commands:
>>
>>    - kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com
>>
>>
>>    - t_s4u.exe p:testkrb at AD1.COM p:smps/srv-2k8r2-2.ad1.comC:\Windows\spssrv4.keytab
>>
>>
>> *Errors:*
>> Below is the output on using debug build:
>>
>> 10:58:18 2284 DllMain DLL_PROCESS_ATTACH
>> 10:58:19 2284 DllMain DLL_THREAD_ATTACH
>> 10:58:19 2772 DllMain DLL_THREAD_ATTACH
>> Protocol transition tests follow
>> -----------------------------------
>>
>> get_plugin_data_sym(authdata_client_0)
>> init module "mspac", ad_type 128, flags 00000002
>> init module "constrained-delegation", ad_type 512, flags 00000008
>> gssint_mecherrmap_map: mapping 2 at 74909D00=krb5-new to 2: err=0
>> new map: ((2,2 at 0079E758=krb5-new))
>> gssint_mecherrmap_map: mapping 0 at 74909D00=krb5-new to 100001: err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new))
>> gssint_mecherrmap_map: mapping 0 at 74909D0C=krb5-old to 100002: err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old))
>> gssint_mecherrmap_map: mapping 0 at 74909D14=krb5-microsoft to 100003: err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft))
>> gssint_mecherrmap_map: mapping 0 at 74909D20={ 1 3 6 1 5 2 5 } to 100004:
>> err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
>> (100004,0 at 0079E800={ 1 3 6 15 2 5 }))
>> gssint_mecherrmap_map: found 0 at 74909D00=krb5-new in map as 100001
>> gssint_mecherrmap_map: found 0 at 74909D0C=krb5-old in map as 100002
>> gssint_mecherrmap_map: found 0 at 74909D14=krb5-microsoft in map as 100003
>> gssint_mecherrmap_map: found 0 at 74909D20={ 1 3 6 1 5 2 5 } in map as
>> 100004
>> 10:58:29 2284   Running on Windows NT using secure mode
>> 10:58:29 2284 find_server Looking for server;
>> ccs_request_IfHandle:0x528CA8
>> 10:58:29 2284 authenticate_server entry
>> 10:58:29 2284   Server authenticated!
>> 10:58:29 2284 ccapi_connect is listening ...
>> 10:58:29 2232 DllMain DLL_THREAD_ATTACH
>> 10:58:29 2284   Server FOUND!
>> 10:58:29 2772 ccapi_listen (null)!
>> 10:58:29 2428 DllMain DLL_THREAD_ATTACH
>> 10:58:29 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 10:58:29 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 10:58:29 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> 03:46:19 2428 DllMain DLL_THREAD_DETACH
>> 03:46:19 2232 DllMain DLL_THREAD_DETACH
>> 03:46:19 2284 cci_context_change_time_sync noticed server changed
>> (server_was_running = 0; server_is_running = 1; g_change_time = 0;
>> g_change_time_offset = 1
>> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> krb5_gss_save_error_info(39756044, ctx=0079F0C0)
>> krb5_gss_save_error_info(39756044, ctx=0079F0C0) saving: Credential cache
>> is empty
>> gss_krb5_save_error_string_nocopy(39756044, Credential cache is empty)
>> p=003B5958 SUCCESS
>> 03:46:19 1068 DllMain DLL_THREAD_ATTACH
>> 03:46:19 2516 DllMain DLL_THREAD_ATTACH
>> gssint_mecherrmap_map: mapping 39756044 at 74909D00=krb5-new to 39756044:
>> err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
>> (100004,0 at 0079E800={ 1 3 6 15 2 5 }), (39756044,39756044 at 0079E838
>> =krb5-new))
>> gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code
>> may provide more information
>> krb5_gss_get_error_message(39756044, p=003B5958) FOUND! ->
>> 003B29F0/Credential cache is empty
>> gss_acquire_cred_impersonate_name: Credential cache is empty
>> 03:46:19 2284 DllMain DLL_PROCESS_DETACH
>>
>>
>> I am not sure what is going wrong here.
>>
>> *Actual usage and problem:*
>> *Working configuration:*
>> In our product setup all is going well if the delegation setup is as
>> below:
>>
>>    - Mark the service1 accounts as "*Trusted for Delegation*". Right
>>    click the service account (spssrv4) properties. Click the
>>    “Delegation” tab. Further  Select the second option ”Trust this user
>>    for delegation to any service(Kerberos only)”
>>
>>
>> *Not Working configuration:*
>> But if this setting is changed to:
>>
>>    - Mark the service1 accounts as "*Trusted for Delegation*". Right
>>    click the service account (spssrv4) properties. Click the
>>    “Delegation” tab. Further 1)    Select the third option “Trust this
>>    user for delegation to specified service”. Then select “Use Kerberos only”
>>    radio button and add the corresponding service principal name (smps/
>>    srv-2k8r2-2.ad1.com at AD1.COM)
>>
>> *Error:*
>> This fails with as error as below:
>> "Failed to create delegated GSSAPI token on behalf of HTTP/
>> srv-2k8r2-3.ad1.com at AD1.COM for smps at 2k8r2-2.AD1.com: Minor
>> Status=100008, Major Status=851968, Message=Unknown code FF 168"
>>
>>
>> Any suggestions would be of great help. thanks.
>>
>> Thank you
>> Regards,
>> Dipti
>>
>
>
>
>

More information about the krbdev mailing list