[EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
Nebergall, Christopher
cneberg at sandia.gov
Thu Mar 14 13:12:34 EDT 2013
I used git-bisect to track down the first commit where t_s4u test program fails running against Windows 2008 R2 SP 1. How do I disable fast support for testing? Or I can help reduce the test case further if someone can tell me where to start.
Thanks,
Christopher
09484d0e835928a48655c0650f7de97825607b2e is the first bad commit
commit 09484d0e835928a48655c0650f7de97825607b2e
Author: Sam Hartman <hartmans at mit.edu>
Date: Wed Nov 23 01:04:38 2011 +0000
FAST TGS
Implement RFC 6113 FAST TGS support.
Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF.
ticket: 7026
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
:040000 040000 b66f21d675fdcbe7427ba0140d73185e7134a4e0 a59cdbe0e1c273bd63a68f8dfb1c8e21ceb31364 M src
-----Original Message-----
From: Nebergall, Christopher
Sent: Wednesday, March 13, 2013 9:34 AM
To: Nebergall, Christopher; Greg Hudson
Cc: kerberos at mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
Do you have an idea why I can't get t_s4u test program in 1.11.1 running against Windows 2008 R2 SP 1?
Set up comments from t_s4u.c
/*
* Test program for protocol transition (S4U2Self) and constrained delegation
* (S4U2Proxy)
*
* Note: because of name canonicalization, the following tips may help
* when configuring with Active Directory:
*
* - Create a computer account FOO$
* - Set the UPN to host/foo.domain (no suffix); this is necessary to
* be able to send an AS-REQ as this principal, otherwise you would
* need to use the canonical name (FOO$), which will cause principal
* comparison errors in gss_accept_sec_context().
* - Add a SPN of host/foo.domain
* - Configure the computer account to support constrained delegation with
* protocol transition (Trust this computer for delegation to specified
* services only / Use any authentication protocol)
* - Add host/foo.domain to the keytab (possibly easiest to do this
* with ktadd)
*
* For S4U2Proxy to work the TGT must be forwardable too.
*
* Usage eg:
*
* kinit -k -t test.keytab -f 'host/test.win.mit.edu at WIN.MIT.EDU'
* ./t_s4u p:delegtest at WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu at WIN.MIT.EDU test.keytab */
>>Set the UPN to host/foo.domain (no suffix);
I can't do this step, if I don't put @TOPHERVILLE.COM at the end of the UPN, then I can't do a kinit with the impersonator account.
-Christopher
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Nebergall, Christopher
Sent: Tuesday, March 12, 2013 3:04 PM
To: Greg Hudson
Cc: kerberos at mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1. The test AD Server is windows 2008 R2 SP 1 in both cases.
./t_s4u p:testusr1 at TOPHERVILLE.COM p:host/testkcd2.topherville.com at TOPHERVILLE.COM /tmp/kcd_keytab_tv Protocol transition tests follow
-----------------------------------
gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may provide more information
gss_acquire_cred_impersonate_name: KDC has no support for padata type
-Christopher
-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU]
Sent: Monday, March 11, 2013 10:44 PM
To: Nebergall, Christopher
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
On 03/11/2013 08:23 PM, Nebergall, Christopher wrote:
> Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?
This is only possible with 1.11 or later. We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal. More details at:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7046
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the krbdev
mailing list