[EXTERNAL] Re: Need help with s4u test program and constrained delegation
Nebergall, Christopher
cneberg at sandia.gov
Wed Jun 12 17:15:09 EDT 2013
Yes it worked in 1.10 but I compiled from source on Linux not windows. Did you configure AD to allow your principal to do protocol translation, and constrained delegation to the second service?
-Topher
-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of diptivs at gmail.com
Sent: Tuesday, June 11, 2013 9:25 AM
To: Nebergall, Christopher
Cc: krbdev at mit.edu
Subject: Re: [EXTERNAL] Re: Need help with s4u test program and constrained delegation
No Luck.
Had it worked for you using 1.10?
Can someone please confirm the steps and configuration is correct?
Thank you
Regards,
Dipti
On Thu, Jun 6, 2013 at 9:49 PM, Nebergall, Christopher
<cneberg at sandia.gov>wrote:
> > gss_acquire_cred_impersonate_name: KDC has no support for padata type
> > 06:52:38 832 DllMain DLL_PROCESS_DETACH
>
> This is similar to the error I was getting from linux against Windows 2008
> and MIT krb 1.11 due to an incompatibility between MIT and AD (I can't
> remember if the padata error came from the same function return) - Try
> with 1.10 and see if it works.
>
> -Topher
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of
> diptivs at gmail.com
> Sent: Thursday, June 06, 2013 9:18 AM
> To: krbdev at mit.edu
> Subject: [EXTERNAL] Re: Need help with s4u test program and constrained
> delegation
>
> With previous error my understanding is its is not able to get the
> testkrb's authentication data. So tried as below with some further error:
>
> *Steps:*
> set KRB5CCNAME=C:\Users\testkrb\AppData\Local\Temp\2\testkrb
>
> kinit testkrb at SHIDI02-AD1.COM
>
> t_s4u --spnego p:testkrb at AD1.COM
> p:smps/srv-2k8r2-2.-ad1.comC:\Windows\spssrv4.keytab
>
> *Error:*
>
> 10:38:40 2968 DllMain DLL_PROCESS_ATTACH
> 10:38:40 2968 DllMain DLL_THREAD_ATTACH
> 10:38:40 2936 DllMain DLL_THREAD_ATTACH
> Protocol transition tests follow
> -----------------------------------
>
> get_plugin_data_sym(authdata_client_0)
> init module "mspac", ad_type 128, flags 00000002
> init module "constrained-delegation", ad_type 512, flags 00000008
> gssint_mecherrmap_map: mapping 2 at 74669D00=krb5-new to 2: err=0
> new map: ((2,2 at 007AEB80=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74669D00=krb5-new to 100001: err=0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new))
> gssint_mecherrmap_map: mapping 0 at 74669D0C=krb5-old to 100002: err=0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old))
> gssint_mecherrmap_map: mapping 0 at 74669D14=krb5-microsoft to 100003: err=0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft))
> gssint_mecherrmap_map: mapping 0 at 74669D20={ 1 3 6 1 5 2 5 } to 100004:
> err=0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1
> 3
> 6 1
> 5 2 5 }))
> gssint_mecherrmap_map: found 0 at 74669D00=krb5-new in map as 100001
> gssint_mecherrmap_map: found 0 at 74669D0C=krb5-old in map as 100002
> gssint_mecherrmap_map: found 0 at 74669D14=krb5-microsoft in map as 100003
> gssint_mecherrmap_map: found 0 at 74669D20={ 1 3 6 1 5 2 5 } in map as 100004
> get_plugin_data_sym(service_locator)
> 10:39:24 504 DllMain DLL_THREAD_ATTACH
> get_plugin_data_sym(service_locator)
> 10:39:24 504 DllMain DLL_THREAD_DETACH
> gssint_mecherrmap_map: mapping 2529638919 at 74669D00=krb5-new to 2529638919:
> err=0
>
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1
> 3
> 6 1
> 5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new))
> get_plugin_data_sym(service_locator)
> 10:39:37 984 DllMain DLL_THREAD_ATTACH
> get_plugin_data_sym(service_locator)
> 10:39:37 984 DllMain DLL_THREAD_DETACH
> gssint_mecherrmap_map: mapping 2529638919 at 74669D0C=krb5-old to 100005:
> err=0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1
> 3
> 6 1
> 5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
> (100005,2529638919 at 007AEBB8
> =krb5-old))
> get_plugin_data_sym(service_locator)
> 10:39:55 2932 DllMain DLL_THREAD_ATTACH
> get_plugin_data_sym(service_locator)
> 10:39:55 2932 DllMain DLL_THREAD_DETACH
> gssint_mecherrmap_map: mapping 2529638919 at 74669D14=krb5-microsoft to
> 100006: err
> =0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1
> 3
> 6 1
> 5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
> (100005,2529638919 at 007AEBB8
> =krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft))
> get_plugin_data_sym(service_locator)
> 10:40:03 360 DllMain DLL_THREAD_ATTACH
> get_plugin_data_sym(service_locator)
> 10:40:03 360 DllMain DLL_THREAD_DETACH
> gssint_mecherrmap_map: mapping 2529638919 at 74669D20={ 1 3 6 1 5 2 5 } to
> 100007:
> err=0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1
> 3
> 6 1
> 5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
> (100005,2529638919 at 007AEBB8
> =krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft),
> (100007,2529638919 at 003E
> 1D18={ 1 3 6 1 5 2 5 }))
> gssint_mecherrmap_map: mapping 0 at 746695B0=spnego to 100008: err=0
> new map: ((2,2 at 007AEB80=krb5-new), (100001,0 at 007AEBF0=krb5-new),
> (100002,0 at 007AE
> B10=krb5-old), (100003,0 at 007AEB48=krb5-microsoft), (100004,0 at 003E19D0={ 1
> 3
> 6 1
> 5 2 5 }), (2529638919,2529638919 at 007AEAA0=krb5-new),
> (100005,2529638919 at 007AEBB8
> =krb5-old), (100006,2529638919 at 003E1C70=krb5-microsoft),
> (100007,2529638919 at 003E
> 1D18={ 1 3 6 1 5 2 5 }), (100008,0 at 003E1D50=spnego))
> gssint_mecherrmap_map: found 0 at 74669D00=krb5-new in map as 100001
> gssint_mecherrmap_map: found 0 at 74669D0C=krb5-old in map as 100002
> gssint_mecherrmap_map: found 0 at 74669D14=krb5-microsoft in map as 100003
> gssint_mecherrmap_map: found 0 at 74669D20={ 1 3 6 1 5 2 5 } in map as 100004
> gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may
> prov
> ide more information
> 10:40:57 648 gss_acquire_cred_impersonate_name:
> DllMain DLL_THREAD_ATTACH
> 10:40:57 2968 DllMain DLL_PROCESS_DETACH
>
>
> Thanks,
> Dipti
>
> On Thu, Jun 6, 2013 at 3:51 PM, <diptivs at gmail.com> wrote:
>
> > After adding KRB5CCNAME the error got changed with s4u test program.
> >
> > *Steps:*
> > set KRB5CCNAME=C:\Users\testkrb\AppData\Local\Temp\2\srv--2k8r2-3
> >
> > kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com
> >
> > t_s4u p:testkrb at SHIDI02-AD1.COM p:smps/srv-2k8r2-2.ad1.com
> > C:\Windows\spssrv4.keytab
> > *
> > *
> > *Error:*
> > *
> > *
> > 06:52:38 832 DllMain DLL_PROCESS_ATTACH
> > 06:52:38 832 DllMain DLL_THREAD_ATTACH
> > 06:52:38 2360 DllMain DLL_THREAD_ATTACH
> > Protocol transition tests follow
> > -----------------------------------
> >
> > get_plugin_data_sym(authdata_client_0)
> > init module "mspac", ad_type 128, flags 00000002
> > init module "constrained-delegation", ad_type 512, flags 00000008
> > gssint_mecherrmap_map: mapping 2 at 74749D00=krb5-new to 2: err=0
> > new map: ((2,2 at 0032E7C8=krb5-new))
> > gssint_mecherrmap_map: mapping 0 at 74749D00=krb5-new to 100001: err=0
> > new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new))
> > gssint_mecherrmap_map: mapping 0 at 74749D0C=krb5-old to 100002: err=0
> > new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> > (100002,0 at 0032E
> > 758=krb5-old))
> > gssint_mecherrmap_map: mapping 0 at 74749D14=krb5-microsoft to 100003:
> err=0
> > new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> > (100002,0 at 0032E
> > 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft))
> > gssint_mecherrmap_map: mapping 0 at 74749D20={ 1 3 6 1 5 2 5 } to 100004:
> > err=0
> > new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> > (100002,0 at 0032E
> > 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={
> 1
> > 3 6 1
> > 5 2 5 }))
> > gssint_mecherrmap_map: found 0 at 74749D00=krb5-new in map as 100001
> > gssint_mecherrmap_map: found 0 at 74749D0C=krb5-old in map as 100002
> > gssint_mecherrmap_map: found 0 at 74749D14=krb5-microsoft in map as 100003
> > gssint_mecherrmap_map: found 0 at 74749D20={ 1 3 6 1 5 2 5 } in map as
> 100004
> > get_plugin_data_sym(service_locator)
> > 06:52:38 2272 DllMain DLL_THREAD_ATTACH
> > get_plugin_data_sym(service_locator)
> > 06:52:38 2272 DllMain DLL_THREAD_DETACH
> > gssint_mecherrmap_map: mapping 2529638928 at 74749D00=krb5-new to
> 2529638928:
> > err=0
> >
> > new map: ((2,2 at 0032E7C8=krb5-new), (100001,0 at 0032E838=krb5-new),
> > (100002,0 at 0032E
> > 758=krb5-old), (100003,0 at 0032E790=krb5-microsoft), (100004,0 at 0032E870={
> 1
> > 3 6 1
> > 5 2 5 }), (2529638928,2529638928 at 0032E8A8=krb5-new))
> > gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code
> > may prov
> > ide more information
> > krb5_gss_get_error_message(2529638928, p=00000000) -> 7460B6B0/KDC has no
> > suppor
> > t for padata type
> > gss_acquire_cred_impersonate_name: KDC has no support for padata type
> > 06:52:38 832 DllMain DLL_PROCESS_DETACH
> > *
> > *
> > Thank,
> > Dipti
> >
> > On Thu, Jun 6, 2013 at 1:16 PM, <diptivs at gmail.com> wrote:
> >
> >> Hi,
> >>
> >> I am trying to test constrained delegation using s4u test [C:\*
> >> krb5-1.11.2*\src\tests\gssapi\t_s4u.c].
> >>
> >> All setups are on windows with Active directory as KDC.
> >>
> >> *Scenario used:*
> >>
> >> Service1: HTTP/srv-2k8r2-3.ad1.com
> >> Service2: smps/srv-2k8r2-2.ad1.com
> >>
> >> Service1 is expected to do an delegated authentication for user "
> >> testkrb at AD1.COM" for service2.
> >>
> >> *Steps used:*
> >> *On Active Directory:*
> >>
> >> - Created user named spssrv4 for service1
> >> - Associated the service1 account (spssrv4 ) with a its principal
> >> name(HTTP/srv-2k8r2-3.ad1.com at AD1.COM), and created a
> *keytab*file using ktpass as: "ktpass
> >> -out c:\spssrv4.keytab -princ
> HTTP/srv-2k8r2-3.ad1.com at AD1.COM-ptype KRB5_NT_PRINCIPAL -mapuser spssrv4
> -pass *****"
> >> - Marked the service accounts as "Trusted for Delegation". Right
> >> click the service account (spssrv4 ) properties. Click the
> "Delegation" tab
> >> as shown in image below:[image: Inline image 2]
> >> - Created user named pssrv2 for service2
> >> - Associated the service2 account (pssrv2 ) with a its principal
> >> name(smps/srv-2k8r2-2.ad1.com at AD1.COM), and created a *keytab*
> file
> >> using ktpass as: "ktpass -out c:\pssrv2.keytab -princ smps/
> >> srv-2k8r2-2.ad1.com at AD1.COM -ptype KRB5_NT_PRINCIPAL -mapuser
> >> pssrv2 -pass *****"
> >> - Created user named testkrb as a test user. Added this user in
> >> Domain Admins group.
> >>
> >> *On Client Machine:*
> >> Logged into the machine (srv-2k8r2-3.ad1.com) as user testkrb.
> >> On command prompt executed following commands:
> >>
> >> - kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com
> >>
> >>
> >> - t_s4u.exe p:testkrb at AD1.COMp:smps/srv-2k8r2-2.ad1.comC:\Windows\spssrv4.keytab
> >>
> >>
> >> *Errors:*
> >> Below is the output on using debug build:
> >>
> >> 10:58:18 2284 DllMain DLL_PROCESS_ATTACH
> >> 10:58:19 2284 DllMain DLL_THREAD_ATTACH
> >> 10:58:19 2772 DllMain DLL_THREAD_ATTACH
> >> Protocol transition tests follow
> >> -----------------------------------
> >>
> >> get_plugin_data_sym(authdata_client_0)
> >> init module "mspac", ad_type 128, flags 00000002
> >> init module "constrained-delegation", ad_type 512, flags 00000008
> >> gssint_mecherrmap_map: mapping 2 at 74909D00=krb5-new to 2: err=0
> >> new map: ((2,2 at 0079E758=krb5-new))
> >> gssint_mecherrmap_map: mapping 0 at 74909D00=krb5-new to 100001: err=0
> >> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new))
> >> gssint_mecherrmap_map: mapping 0 at 74909D0C=krb5-old to 100002: err=0
> >> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> >> (100002,0 at 0079E6E8=krb5-old))
> >> gssint_mecherrmap_map: mapping 0 at 74909D14=krb5-microsoft to 100003:
> err=0
> >> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> >> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft))
> >> gssint_mecherrmap_map: mapping 0 at 74909D20={ 1 3 6 1 5 2 5 } to 100004:
> >> err=0
> >> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> >> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
> >> (100004,0 at 0079E800={ 1 3 6 15 2 5 }))
> >> gssint_mecherrmap_map: found 0 at 74909D00=krb5-new in map as 100001
> >> gssint_mecherrmap_map: found 0 at 74909D0C=krb5-old in map as 100002
> >> gssint_mecherrmap_map: found 0 at 74909D14=krb5-microsoft in map as 100003
> >> gssint_mecherrmap_map: found 0 at 74909D20={ 1 3 6 1 5 2 5 } in map as
> >> 100004
> >> 10:58:29 2284 Running on Windows NT using secure mode
> >> 10:58:29 2284 find_server Looking for server;
> >> ccs_request_IfHandle:0x528CA8
> >> 10:58:29 2284 authenticate_server entry
> >> 10:58:29 2284 Server authenticated!
> >> 10:58:29 2284 ccapi_connect is listening ...
> >> 10:58:29 2232 DllMain DLL_THREAD_ATTACH
> >> 10:58:29 2284 Server FOUND!
> >> 10:58:29 2772 ccapi_listen (null)!
> >> 10:58:29 2428 DllMain DLL_THREAD_ATTACH
> >> 10:58:29 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> >> 10:58:29 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> >> 10:58:29 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
> >> 408
> >> 03:46:19 2428 DllMain DLL_THREAD_DETACH
> >> 03:46:19 2232 DllMain DLL_THREAD_DETACH
> >> 03:46:19 2284 cci_context_change_time_sync noticed server changed
> >> (server_was_running = 0; server_is_running = 1; g_change_time = 0;
> >> g_change_time_offset = 1
> >> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> >> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> >> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
> >> 408
> >> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> >> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> >> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
> >> 408
> >> 03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
> >> 03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
> >> 03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c:
> >> 408
> >> krb5_gss_save_error_info(39756044, ctx=0079F0C0)
> >> krb5_gss_save_error_info(39756044, ctx=0079F0C0) saving: Credential
> cache
> >> is empty
> >> gss_krb5_save_error_string_nocopy(39756044, Credential cache is empty)
> >> p=003B5958 SUCCESS
> >> 03:46:19 1068 DllMain DLL_THREAD_ATTACH
> >> 03:46:19 2516 DllMain DLL_THREAD_ATTACH
> >> gssint_mecherrmap_map: mapping 39756044 at 74909D00=krb5-new to 39756044:
> >> err=0
> >> new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
> >> (100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
> >> (100004,0 at 0079E800={ 1 3 6 15 2 5 }), (39756044,39756044 at 0079E838
> >> =krb5-new))
> >> gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code
> >> may provide more information
> >> krb5_gss_get_error_message(39756044, p=003B5958) FOUND! ->
> >> 003B29F0/Credential cache is empty
> >> gss_acquire_cred_impersonate_name: Credential cache is empty
> >> 03:46:19 2284 DllMain DLL_PROCESS_DETACH
> >>
> >>
> >> I am not sure what is going wrong here.
> >>
> >> *Actual usage and problem:*
> >> *Working configuration:*
> >> In our product setup all is going well if the delegation setup is as
> >> below:
> >>
> >> - Mark the service1 accounts as "*Trusted for Delegation*". Right
> >> click the service account (spssrv4) properties. Click the
> >> "Delegation" tab. Further Select the second option "Trust this user
> >> for delegation to any service(Kerberos only)"
> >>
> >>
> >> *Not Working configuration:*
> >> But if this setting is changed to:
> >>
> >> - Mark the service1 accounts as "*Trusted for Delegation*". Right
> >> click the service account (spssrv4) properties. Click the
> >> "Delegation" tab. Further 1) Select the third option "Trust this
> >> user for delegation to specified service". Then select "Use Kerberos
> only"
> >> radio button and add the corresponding service principal name (smps/
> >> srv-2k8r2-2.ad1.com at AD1.COM)
> >>
> >> *Error:*
> >> This fails with as error as below:
> >> "Failed to create delegated GSSAPI token on behalf of HTTP/
> >> srv-2k8r2-3.ad1.com at AD1.COM for smps at 2k8r2-2.AD1.com: Minor
> >> Status=100008, Major Status=851968, Message=Unknown code FF 168"
> >>
> >>
> >> Any suggestions would be of great help. thanks.
> >>
> >> Thank you
> >> Regards,
> >> Dipti
> >>
> >
> >
> >
> >
>
>
_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list