kcpytkt to copy a service ticket for client principal not matching the default principal

Josef Petermann josef.petermann at eoda.de
Mon Jun 15 17:28:09 EDT 2020 

Hi,

Our goal is to spawn user sessions that have a service ticket for a third service without having to enter a password nor using unconstrained delegation. Let's assume the users come pre-authenticated and we only have their username. 

We are using protocol transition and contrained delegation on Service A (rstudio-server at LAB.BIZ) to obtain a service ticket for Service B (HTTP/ip-172-20-0-118.lab.biz at LAB.BIZ) for User X (jpetermann).

    # kinit -k -t /etc/httpd/rstudio-server.keytab rstudio-server at LAB.BIZ
    # klist
    Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
    Standard-Principal: rstudio-server at LAB.BIZ

    Valid starting       Expires              Service principal
    15.06.2020 17:31:08  16.06.2020 03:31:08  krbtgt/LAB.BIZ at LAB.BIZ
	erneuern bis 22.06.2020 17:31:08

    # kvno -k /etc/httpd/rstudio-server.keytab -U jpetermann -P HTTP/ip-172-20-0-118.lab.biz at LAB.BIZ
    HTTP/ip-172-20-0-118.lab.biz at LAB.BIZ: KVNO = 3, Schlüsseltabelleneintrag gültig

    # klist
    Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
    Standard-Principal: rstudio-server at LAB.BIZ

    Valid starting       Expires              Service principal
    15.06.2020 17:31:08  16.06.2020 03:31:08  krbtgt/LAB.BIZ at LAB.BIZ
	erneuern bis 22.06.2020 17:31:08
    15.06.2020 17:31:43  16.06.2020 03:31:08  rstudio-server at LAB.BIZ
	für Client jpetermann at LAB.BIZ, erneuern bis 22.06.2020 17:31:08
    15.06.2020 17:31:43  16.06.2020 03:31:08  HTTP/ip-172-20-0-118.lab.biz at LAB.BIZ

Now we are trying to use kcpytkt to extract the service ticket for Service B for User X from the ccache of Service A. Unfortunately we are unable to extract a service ticket for a user that is not the default principal:

    # kcpytkt -c /tmp/krb5cc_0 /home/jpetermann\@lab.biz/cache42 
    HTTP/ip-172-20-0-118 at LAB.BIZHTTP/ip-172-20-0-118 at LAB.BIZ: Matching credential not found while retrieving credentials

How can we get kcpytkt to match a credential not matching the default principal? Ideally, the solution would involve supplying the client principal as an additional command line argument to kcpytkt.

Is there maybe another way to provide a service ticket to the user's session?

Thanks and Regards,

Josef Petermann

More information about the krbdev mailing list