[EXTERNAL] Re: Need help with s4u test program and constrained delegation
Nebergall, Christopher
cneberg at sandia.gov
Thu Jun 6 12:19:10 EDT 2013
> gss_acquire_cred_impersonate_name: KDC has no support for padata type
> 06:52:38 832 DllMain DLL_PROCESS_DETACH
This is similar to the error I was getting from linux against Windows 2008 and MIT krb 1.11 due to an incompatibility between MIT and AD (I can't remember if the padata error came from the same function return) - Try with 1.10 and see if it works.
-Topher
-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of diptivs at gmail.com
Sent: Thursday, June 06, 2013 9:18 AM
To: krbdev at mit.edu
Subject: [EXTERNAL] Re: Need help with s4u test program and constrained delegation
With previous error my understanding is its is not able to get the
testkrb's authentication data. So tried as below with some further error:
*Steps:*
set KRB5CCNAME=C:\Users\testkrb\AppData\Local\Temp\2\testkrb
kinit testkrb at SHIDI02-AD1.COM
t_s4u --spnego p:testkrb at AD1.COM
p:smps/srv-2k8r2-2.-ad1.comC:\Windows\spssrv4.keytab
*Error:*
10:38:40 2968 DllMain DLL_PROCESS_ATTACH
10:38:40 2968 DllMain DLL_THREAD_ATTACH
10:38:40 2936 DllMain DLL_THREAD_ATTACH
Protocol transition tests follow
-----------------------------------
get_plugin_data_sym(authdata_client_0)
init module "mspac", ad_type 128, flags 00000002
init module "constrained-delegation", ad_type 512, flags 00000008
gssint_mecherrmap_map: mapping 2 at 74669D00=krb5-new to 2: err=0
new map: ((2,2 at 007AEB80=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74669D00=krb5-new to 100001: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74669D0C=krb5-old to 100002: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old))
gssint_mecherrmap_map: mapping 0 at 74669D14=krb5-microsoft to 100003: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft))
gssint_mecherrmap_map: mapping 0 at 74669D20={ 1 3 6 1 5 2 5 } to 100004: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }))
gssint_mecherrmap_map: found 0 at 74669D00=krb5-new in map as 100001
gssint_mecherrmap_map: found 0 at 74669D0C=krb5-old in map as 100002
gssint_mecherrmap_map: found 0 at 74669D14=krb5-microsoft in map as 100003
gssint_mecherrmap_map: found 0 at 74669D20={ 1 3 6 1 5 2 5 } in map as 100004
get_plugin_data_sym(service_locator)
10:39:24 504 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:39:24 504 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D00=krb5-new to 2529638919:
err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new))
get_plugin_data_sym(service_locator)
10:39:37 984 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:39:37 984 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D0C=krb5-old to 100005: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old))
get_plugin_data_sym(service_locator)
10:39:55 2932 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:39:55 2932 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D14=krb5-microsoft to
100006: err
=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft))
get_plugin_data_sym(service_locator)
10:40:03 360 DllMain DLL_THREAD_ATTACH
get_plugin_data_sym(service_locator)
10:40:03 360 DllMain DLL_THREAD_DETACH
gssint_mecherrmap_map: mapping 2529638919 at 74669D20={ 1 3 6 1 5 2 5 } to
100007:
err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft),
(100007,2529638919 at 003E
1D18={ 1 3 6 1 5 2 5 }))
gssint_mecherrmap_map: mapping 0 at 746695B0=spnego to 100008: err=0
new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
(100002,0 at 007AE
B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1 3
6 1
5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
(100005,2529638919 at 007AEBB8
=krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft),
(100007,2529638919 at 003E
1D18={ 1 3 6 1 5 2 5 }), (100008,0 at 003E1D50=spnego))
gssint_mecherrmap_map: found 0 at 74669D00=krb5-new in map as 100001
gssint_mecherrmap_map: found 0 at 74669D0C=krb5-old in map as 100002
gssint_mecherrmap_map: found 0 at 74669D14=krb5-microsoft in map as 100003
gssint_mecherrmap_map: found 0 at 74669D20={ 1 3 6 1 5 2 5 } in map as 100004
gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may
prov
ide more information
10:40:57 648 gss_acquire_cred_impersonate_name:
DllMain DLL_THREAD_ATTACH
10:40:57 2968 DllMain DLL_PROCESS_DETACH
Thanks,
Dipti
On Thu, Jun 6, 2013 at 3:51 PM, <diptivs at gmail.com> wrote:
> After adding KRB5CCNAME the error got changed with s4u test program.
>
> *Steps:*
> set KRB5CCNAME=C:\Users\testkrb\AppData\Local\Temp\2\srv--2k8r2-3
>
> kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com
>
> t_s4u p:testkrb at SHIDI02-AD1.COM p:smps/srv-2k8r2-2.ad1.com
> C:\Windows\spssrv4.keytab
> *
> *
> *Error:*
> *
> *
> 06:52:38 832 DllMain DLL_PROCESS_ATTACH
> 06:52:38 832 DllMain DLL_THREAD_ATTACH
> 06:52:38 2360 DllMain DLL_THREAD_ATTACH
> Protocol transition tests follow
> -----------------------------------
>
> get_plugin_data_sym(authdata_client_0)
> init module "mspac", ad_type 128, flags 00000002
> init module "constrained-delegation", ad_type 512, flags 00000008
> gssint_mecherrmap_map: mapping 2 at 74749D00=krb5-new to 2: err=0
> new map: ((2,2 at 0032E7C8=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74749D00=krb5-new to 100001: err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74749D0C=krb5-old to 100002: err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old))
> gssint_mecherrmap_map: mapping 0 at 74749D14=krb5-microsoft to 100003: err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft))
> gssint_mecherrmap_map: mapping 0 at 74749D20={ 1 3 6 1 5 2 5 } to 100004:
> err=0
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={ 1
> 3 6 1
> 5 2 5 }))
> gssint_mecherrmap_map: found 0 at 74749D00=krb5-new in map as 100001
> gssint_mecherrmap_map: found 0 at 74749D0C=krb5-old in map as 100002
> gssint_mecherrmap_map: found 0 at 74749D14=krb5-microsoft in map as 100003
> gssint_mecherrmap_map: found 0 at 74749D20={ 1 3 6 1 5 2 5 } in map as 100004
> get_plugin_data_sym(service_locator)
> 06:52:38 2272 DllMain DLL_THREAD_ATTACH
> get_plugin_data_sym(service_locator)
> 06:52:38 2272 DllMain DLL_THREAD_DETACH
> gssint_mecherrmap_map: mapping 2529638928 at 74749D00=krb5-new to 2529638928:
> err=0
>
> new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> (100002,0 at 0032E
> 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={ 1
> 3 6 1
> 5 2 5 }), (2529638928,2529638928 at 0032E8A8=krb5-new))
> gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code
> may prov
> ide more information
> krb5_gss_get_error_message(2529638928, p=00000000) -> 7460B6B0/KDC has no
> suppor
> t for padata type
> gss_acquire_cred_impersonate_name: KDC has no support for padata type
> 06:52:38 832 DllMain DLL_PROCESS_DETACH
> *
> *
> Thank,
> Dipti
>
> On Thu, Jun 6, 2013 at 1:16 PM, <diptivs at gmail.com> wrote:
>
>> Hi,
>>
>> I am trying to test constrained delegation using s4u test [C:\*
>> krb5-1.11.2*\src\tests\gssapi\t_s4u.c].
>>
>> All setups are on windows with Active directory as KDC.
>>
>> *Scenario used:*
>>
>> Service1: HTTP/srv-2k8r2-3.ad1.com
>> Service2: smps/srv-2k8r2-2.ad1.com
>>
>> Service1 is expected to do an delegated authentication for user "
>> testkrb at AD1.COM" for service2.
>>
>> *Steps used:*
>> *On Active Directory:*
>>
>> - Created user named spssrv4 for service1
>> - Associated the service1 account (spssrv4 ) with a its principal
>> name(HTTP/srv-2k8r2-3.ad1.com at AD1.COM), and created a *keytab*file using ktpass as: "ktpass
>> -out c:\spssrv4.keytab -princ HTTP/srv-2k8r2-3.ad1.com at AD1.COM-ptype KRB5_NT_PRINCIPAL -mapuser spssrv4 -pass *****"
>> - Marked the service accounts as "Trusted for Delegation". Right
>> click the service account (spssrv4 ) properties. Click the "Delegation" tab
>> as shown in image below:[image: Inline image 2]
>> - Created user named pssrv2 for service2
>> - Associated the service2 account (pssrv2 ) with a its principal
>> name(smps/srv-2k8r2-2.ad1.com at AD1.COM), and created a *keytab* file
>> using ktpass as: "ktpass -out c:\pssrv2.keytab -princ smps/
>> srv-2k8r2-2.ad1.com at AD1.COM -ptype KRB5_NT_PRINCIPAL -mapuser
>> pssrv2 -pass *****"
>> - Created user named testkrb as a test user. Added this user in
>> Domain Admins group.
>>
>> *On Client Machine:*
>> Logged into the machine (srv-2k8r2-3.ad1.com) as user testkrb.
>> On command prompt executed following commands:
>>
>> - kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com
>>
>>
>> - t_s4u.exe p:testkrb at AD1.COM p:smps/srv-2k8r2-2.ad1.comC:\Windows\spssrv4.keytab
>>
>>
>> *Errors:*
>> Below is the output on using debug build:
>>
>> 10:58:18 2284 DllMain DLL_PROCESS_ATTACH
>> 10:58:19 2284 DllMain DLL_THREAD_ATTACH
>> 10:58:19 2772 DllMain DLL_THREAD_ATTACH
>> Protocol transition tests follow
>> -----------------------------------
>>
>> get_plugin_data_sym(authdata_client_0)
>> init module "mspac", ad_type 128, flags 00000002
>> init module "constrained-delegation", ad_type 512, flags 00000008
>> gssint_mecherrmap_map: mapping 2 at 74909D00=krb5-new to 2: err=0
>> new map: ((2,2 at 0079E758=krb5-new))
>> gssint_mecherrmap_map: mapping 0 at 74909D00=krb5-new to 100001: err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new))
>> gssint_mecherrmap_map: mapping 0 at 74909D0C=krb5-old to 100002: err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old))
>> gssint_mecherrmap_map: mapping 0 at 74909D14=krb5-microsoft to 100003: err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft))
>> gssint_mecherrmap_map: mapping 0 at 74909D20={ 1 3 6 1 5 2 5 } to 100004:
>> err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
>> (100004,0 at 0079E800={ 1 3 6 15 2 5 }))
>> gssint_mecherrmap_map: found 0 at 74909D00=krb5-new in map as 100001
>> gssint_mecherrmap_map: found 0 at 74909D0C=krb5-old in map as 100002
>> gssint_mecherrmap_map: found 0 at 74909D14=krb5-microsoft in map as 100003
>> gssint_mecherrmap_map: found 0 at 74909D20={ 1 3 6 1 5 2 5 } in map as
>> 100004
>> 10:58:29 2284 Running on Windows NT using secure mode
>> 10:58:29 2284 find_server Looking for server;
>> ccs_request_IfHandle:0x528CA8
>> 10:58:29 2284 authenticate_server entry
>> 10:58:29 2284 Server authenticated!
>> 10:58:29 2284 ccapi_connect is listening ...
>> 10:58:29 2232 DllMain DLL_THREAD_ATTACH
>> 10:58:29 2284 Server FOUND!
>> 10:58:29 2772 ccapi_listen (null)!
>> 10:58:29 2428 DllMain DLL_THREAD_ATTACH
>> 10:58:29 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 10:58:29 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 10:58:29 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> 03:46:19 2428 DllMain DLL_THREAD_DETACH
>> 03:46:19 2232 DllMain DLL_THREAD_DETACH
>> 03:46:19 2284 cci_context_change_time_sync noticed server changed
>> (server_was_running = 0; server_is_running = 1; g_change_time = 0;
>> g_change_time_offset = 1
>> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
>> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
>> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
>> 408
>> krb5_gss_save_error_info(39756044, ctx=0079F0C0)
>> krb5_gss_save_error_info(39756044, ctx=0079F0C0) saving: Credential cache
>> is empty
>> gss_krb5_save_error_string_nocopy(39756044, Credential cache is empty)
>> p=003B5958 SUCCESS
>> 03:46:19 1068 DllMain DLL_THREAD_ATTACH
>> 03:46:19 2516 DllMain DLL_THREAD_ATTACH
>> gssint_mecherrmap_map: mapping 39756044 at 74909D00=krb5-new to 39756044:
>> err=0
>> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
>> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
>> (100004,0 at 0079E800={ 1 3 6 15 2 5 }), (39756044,39756044 at 0079E838
>> =krb5-new))
>> gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code
>> may provide more information
>> krb5_gss_get_error_message(39756044, p=003B5958) FOUND! ->
>> 003B29F0/Credential cache is empty
>> gss_acquire_cred_impersonate_name: Credential cache is empty
>> 03:46:19 2284 DllMain DLL_PROCESS_DETACH
>>
>>
>> I am not sure what is going wrong here.
>>
>> *Actual usage and problem:*
>> *Working configuration:*
>> In our product setup all is going well if the delegation setup is as
>> below:
>>
>> - Mark the service1 accounts as "*Trusted for Delegation*". Right
>> click the service account (spssrv4) properties. Click the
>> "Delegation" tab. Further Select the second option "Trust this user
>> for delegation to any service(Kerberos only)"
>>
>>
>> *Not Working configuration:*
>> But if this setting is changed to:
>>
>> - Mark the service1 accounts as "*Trusted for Delegation*". Right
>> click the service account (spssrv4) properties. Click the
>> "Delegation" tab. Further 1) Select the third option "Trust this
>> user for delegation to specified service". Then select "Use Kerberos only"
>> radio button and add the corresponding service principal name (smps/
>> srv-2k8r2-2.ad1.com at AD1.COM)
>>
>> *Error:*
>> This fails with as error as below:
>> "Failed to create delegated GSSAPI token on behalf of HTTP/
>> srv-2k8r2-3.ad1.com at AD1.COM for smps at 2k8r2-2.AD1.com: Minor
>> Status=100008, Major Status=851968, Message=Unknown code FF 168"
>>
>>
>> Any suggestions would be of great help. thanks.
>>
>> Thank you
>> Regards,
>> Dipti
>>
>
>
>
>
More information about the krbdev
mailing list