weijun.wang at oracle.com
Mon Feb 25 02:59:00 EST 2019
> On Feb 20, 2019, at 6:53 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 2/16/19 2:28 AM, Weijun Wang wrote:
>> Suppose there is only one process, is the intermediate server also forbidden to get a ticket to a backend server on its own?
> If a caller uses an impersonator credential with gss_init_sec_context(),
> the GSSAPI layer will always try to make an S4U2Proxy request, not a
> regular TGS request.
I see. So my understanding is that this defines a new kind of default credential. It used to be only user -> krbtgt, but it can be also a service -> krbtgt, plus user -> service, and this special proxy_impersonator flag.
BTW, a customer sent me this ccache file:
> Default principal: user at EXAMPLE.COM
> #1 Service Principal: service/host.example.com at EXAMPLE.COM
> Client Principal: user at EXAMPLE.COM
> #2 Service Principal: krbtgt/EXAMPLE.COM at EXAMPLE.COM
> Client Principal: service/host.example.com at EXAMPLE.COM
> krb5_ccache_conf_data.proxy_impersonator.<no princiapl>
> Value: service/host.example.com at EXAMPLE.COM
So gss_init_sec_context() is called using the default credential, it should
1) notice there is a proxy_impersonator
2) find a TGT matching the service name at #2
3) find the proxy credential matching the service name at #1
4) request ticket to any other service using #2 with #1 as the second ticket
Does the default principal of this ccache file matter? Should #1 always have the same client principal as it?
> The same caller may have previously acquired a cred handle which it used
> to produce the impersonator cred (either with gss_accept_sec_context()
> or gss_acquire_cred_impersonate_name()). That cred could be used to get
> a ticket to another server with a regular TGS request.
>> Is this true for any GSS_C_BOTH credential?
> No, the GSS_C_BOTH usage is orthogonal. Impersonator credentials are
> typically GSS_C_INITIATE, and a GSS_C_BOTH credential which is not an
> impersonator cred can be used to make regular TGS requests.
More information about the krbdev