Multiple KDC's realm heuristic for KRB5CCNAME=DIR:/tmp/mydir/ ccache not working

Martin Gee geemang_2000 at yahoo.com
Tue Jul 24 13:56:19 EDT 2018 

Added:  krbdev at mit.edu 

    On Tuesday, July 24, 2018 12:52 PM, Martin Gee <geemang_2000 at yahoo.com> wrote:
 

 I found a google post that describes the rules to resolve ccache entries
1. The .k5identity file allows you to configure a client principal based on the target principal.  See: 
http://web.mit.edu/kerberos/ krb5-latest/doc/user/user_ config/k5identity.html 

2. If the realm of the target service is known via a [domain_realm] 
mapping in krb5.conf, a client principal in that realm will be selected. 

3. The primary cache. 
*******************
Do the mechanisms you list work for constrained delegation?krb5 version: 1.16.1
I'm testing with t_s4u using the same approach above (  KRB5CCNAME=DIR:/tmp/mydir) etc.
My tests always use #3 (last kinit command run or kswitch).  I'd really like to use #2 if possible. I can't seem to get the .k5identity or realm of target service to rules to kick in. As listed belowt_s4u is always using the cache of the last kinit run. 
/etc/krb5.conf#START krb5.conf[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = UICSYNERGY.BIZ dns_lookup_realm = true dns_lookup_kdc = true dns_canonicalize_hostname = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_client_keytab_name = /etc/krb5.keytab
[realms] UICSYNERGY.BIZ = {  kdc = uicsynergy.biz  default_domain = uicsynergy.biz } ICSYNERGY.NET = {  kdc = icsynergy.net  default_domain = icsynergy.net }
[domain_realm] .uicsynergy.biz = UICSYNERGY.BIZ uicsynergy.biz = UICSYNERGY.BIZ .icsynergy.net = ICSYNERGY.NET icsynergy.net = ICSYNERGY.NET#END krb5.conf
Here are my steps:Create a keytab on each AD DC.
$ mkdir /tmp/mydir $ export KRB5CCNAME=DIR:/tmp/mydir $ kinit -k -t ./spgateway_icsynergy_net.keytab host/gw.icsynergy.info at ICSYNERGY.NET$ kinit -k -t ./spgateway_uicsynergy_biz.keytab host/gw.icsynergy.info at UICSYNERGY.BIZ$ klist -ATicket cache: DIR::/tmp/mydir/tktCzQyfjDefault principal: host/gw.icsynergy.info at UICSYNERGY.BIZ
Valid starting       Expires              Service principal07/24/2018 16:49:20  07/25/2018 02:49:20  krbtgt/UICSYNERGY.BIZ at UICSYNERGY.BIZ renew until 07/31/2018 16:49:20
Ticket cache: DIR::/tmp/mydir/tktVQeLF4Default principal: host/gw.icsynergy.info at ICSYNERGY.NET
Valid starting       Expires              Service principal07/24/2018 16:48:47  07/25/2018 02:48:47  krbtgt/ICSYNERGY.NET at ICSYNERGY.NET renew until 07/31/2018 16:48:47
>> WORKS$ /opt/spgateway/bin/t_s4u u:tuser2 at UICSYNERGY.BIZ h:HTTP at ics-dc-2.uicsynergy.biz ./spgateway_uicsynergy_biz.keytab<< WORKS
>> FAILS $ /opt/spgateway/bin/t_s4u u:tuser1 at ICSYNERGY.NET h:HTTP at ics-dc-1.icsynergy.net ./spgateway_icsynergy_net.keytabProtocol transition tests follow-----------------------------------
[25007] 1532451100.523203: Getting credentials tuser1 at ICSYNERGY.NET -> host/gw.icsynergy.info at UICSYNERGY.BIZ using ccache DIR::/tmp/mydir/tktCzQyfj[25007] 1532451100.523204: Retrieving tuser1 at ICSYNERGY.NET -> host/gw.icsynergy.info at UICSYNERGY.BIZ from DIR::/tmp/mydir/tktCzQyfj with result: -1765328243/Matching credential not found (filename: /tmp/mydir/tktCzQyfj)[25007] 1532451100.523205: Getting credentials host/gw.icsynergy.info at UICSYNERGY.BIZ -> krbtgt/ICSYNERGY.NET at UICSYNERGY.BIZ using ccache DIR::/tmp/mydir/tktCzQyfj[25007] 1532451100.523206: Retrieving host/gw.icsynergy.info at UICSYNERGY.BIZ -> krbtgt/ICSYNERGY.NET at UICSYNERGY.BIZ from DIR::/tmp/mydir/tktCzQyfj with result: -1765328243/Matching credential not found (filename: /tmp/mydir/tktCzQyfj)[25007] 1532451100.523207: Retrieving host/gw.icsynergy.info at UICSYNERGY.BIZ -> krbtgt/UICSYNERGY.BIZ at UICSYNERGY.BIZ from DIR::/tmp/mydir/tktCzQyfj with result: 0/Success[25007] 1532451100.523208: Starting with TGT for client realm: host/gw.icsynergy.info at UICSYNERGY.BIZ -> krbtgt/UICSYNERGY.BIZ at UICSYNERGY.BIZ[25007] 1532451100.523209: Requesting tickets for krbtgt/ICSYNERGY.NET at UICSYNERGY.BIZ, referrals on[25007] 1532451100.523210: Generated subkey for TGS request: aes256-cts/B5F0[25007] 1532451100.523211: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts[25007] 1532451100.523213: Encoding request body and padata into FAST request[25007] 1532451100.523214: Sending request (1769 bytes) to UICSYNERGY.BIZ[25007] 1532451100.523215: Resolving hostname uicsynergy.biz[25007] 1532451100.523216: Initiating TCP connection to stream 192.168.0.180:88[25007] 1532451100.523217: Sending TCP request to stream 192.168.0.180:88[25007] 1532451100.523218: Received answer (99 bytes) from stream 192.168.0.180:88[25007] 1532451100.523219: Terminating TCP connection to stream 192.168.0.180:88[25007] 1532451100.523220: Sending DNS URI query for _kerberos.UICSYNERGY.BIZ.[25007] 1532451100.523221: No URI records found[25007] 1532451100.523222: Sending DNS SRV query for _kerberos-master._udp.UICSYNERGY.BIZ.[25007] 1532451100.523223: Sending DNS SRV query for _kerberos-master._tcp.UICSYNERGY.BIZ.[25007] 1532451100.523224: No SRV records found[25007] 1532451100.523225: Response was not from master KDC[25007] 1532451100.523226: TGS request result: -1765328377/Server not found in Kerberos database[25007] 1532451100.523227: Requesting tickets for krbtgt/ICSYNERGY.NET at UICSYNERGY.BIZ, referrals off[25007] 1532451100.523228: Generated subkey for TGS request: aes256-cts/30A5[25007] 1532451100.523229: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts[25007] 1532451100.523231: Encoding request body and padata into FAST request[25007] 1532451100.523232: Sending request (1769 bytes) to UICSYNERGY.BIZ[25007] 1532451100.523233: Resolving hostname uicsynergy.biz[25007] 1532451100.523234: Initiating TCP connection to stream 192.168.0.180:88[25007] 1532451100.523235: Sending TCP request to stream 192.168.0.180:88[25007] 1532451100.523236: Received answer (99 bytes) from stream 192.168.0.180:88[25007] 1532451100.523237: Terminating TCP connection to stream 192.168.0.180:88[25007] 1532451100.523238: Sending DNS URI query for _kerberos.UICSYNERGY.BIZ.[25007] 1532451100.523239: No URI records found[25007] 1532451100.523240: Sending DNS SRV query for _kerberos-master._udp.UICSYNERGY.BIZ.[25007] 1532451100.523241: Sending DNS SRV query for _kerberos-master._tcp.UICSYNERGY.BIZ.[25007] 1532451100.523242: No SRV records found[25007] 1532451100.523243: Response was not from master KDC[25007] 1532451100.523244: TGS request result: -1765328377/Server not found in Kerberos databasegss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may provide more informationgss_acquire_cred_impersonate_name: Server not found in Kerberos database
<< FAILS 

More information about the krbdev mailing list