S4U2Proxy
Rajbir Chahal
rajbir.chahal at oracle.com
Mon Aug 12 11:21:05 EDT 2024
Hello,
I am using a sample program to test S4U2Proxy functionality. KDC is setup to use the default KDB module, db2.
On calling krb5_get_credentials_for_proxy(), the MIT KDC returns error
'-1765328371/KDC can't fulfill requested option'.
krb5kdc.log has log message -
Aug 02 16:15:40 phoenix535877 krb5kdc[389029](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 100.70.104.158: UNSUPPORTED_S4U2PROXY_REQUEST: authtime 1722614569,
cdbsvc2X/phx98444.dev3sub2phx.com at TESTMITKDC.SECTEST2024.COM
for cdbdst1/phx98444.dev3sub2phx.com at TESTMITKDC.SECTEST2024.COM,
KDC can't fulfill requested option
In KDC, krb5_db_allowed_to_delegate_from() returns KRB5_PLUGIN_OP_NOTSUPP because 'v->allowed_to_delegate_from == NULL'.
Is S4U2Proxy not supported by default KDB module (db2)?
thanks,
Rajbir
More information about the krbdev
mailing list