About proxy_impersonator

Weijun Wang weijun.wang at oracle.com
Mon Feb 25 02:59:00 EST 2019

> On Feb 20, 2019, at 6:53 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 2/16/19 2:28 AM, Weijun Wang wrote:
>> Suppose there is only one process, is the intermediate server also forbidden to get a ticket to a backend server on its own?
> If a caller uses an impersonator credential with gss_init_sec_context(),
> the GSSAPI layer will always try to make an S4U2Proxy request, not a
> regular TGS request.

I see. So my understanding is that this defines a new kind of default credential. It used to be only user -> krbtgt, but it can be also a service -> krbtgt, plus user -> service, and this special proxy_impersonator flag.

BTW, a customer sent me this ccache file:

> Default principal: user at EXAMPLE.COM
> #1  Service Principal:  service/host.example.com at EXAMPLE.COM
>     Client Principal:   user at EXAMPLE.COM
> #2  Service Principal:  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>     Client Principal:   service/host.example.com at EXAMPLE.COM
> and
> krb5_ccache_conf_data.proxy_impersonator.<no princiapl>
>    Value: service/host.example.com at EXAMPLE.COM

So gss_init_sec_context() is called using the default credential, it should 

1) notice there is a proxy_impersonator
2) find a TGT matching the service name at #2
3) find the proxy credential matching the service name at #1
4) request ticket to any other service using #2 with #1 as the second ticket

Does the default principal of this ccache file matter? Should #1 always have the same client principal as it?


> The same caller may have previously acquired a cred handle which it used
> to produce the impersonator cred (either with gss_accept_sec_context()
> or gss_acquire_cred_impersonate_name()).  That cred could be used to get
> a ticket to another server with a regular TGS request.
>> Is this true for any GSS_C_BOTH credential?
> No, the GSS_C_BOTH usage is orthogonal.  Impersonator credentials are
> typically GSS_C_INITIATE, and a GSS_C_BOTH credential which is not an
> impersonator cred can be used to make regular TGS requests.

More information about the krbdev mailing list