get_cred starting realm

Nico Williams nico at
Wed Apr 29 13:25:37 EDT 2015

On Wed, Apr 29, 2015 at 10:07:59AM -0400, Greg Hudson wrote:
> krb5_get_credentials() assumes that cross-realm TGS requests should
> begin with the local TGT principal of the client realm.  This assumption
> has worked for a long time, but there are two edge cases where it
> doesn't: fully-anonymous tickets where the client realm is
> WELLKNOWN:ANONYMOUS, and delegated local TGTs for foreign realms.  I
> don't remember where we have talked about the second case, so it may be
> easier to just think about the first case.

The delegation case we call "delegating a destination-only TGT", though
really, it's a TGT that can't be used to a) reach services at the client
principal's realm (because of loop detection by TGSes), b) reach
services not reachable from the target service's realm (because of
missing trust relations).  (a) is a useful property, even if (b)
sometimes has the same effect.

This is a form of constrained delegation.

Destination-only TGTs have the same propery of TGTs for the fully-
anonymous client principal: the realm of the TGT does not match the
client principal's.

The start-realm ccconfig business helps clients select the same starting
TGT regardless of ccache iteration order determinism/non-determinism.

Delegation of destination-only TGTs requires additional code (to decide
when to do it, and to then get such forwarded tickets for delegation).
Viktor has patches to implement destination-only TGT delegation.  It's
quite convenient for several use cases.


More information about the krbdev mailing list