[36882] in Kerberos
Re: Kerberos delegation on Windows
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Apr 3 17:11:53 2015
Date: Fri, 3 Apr 2015 17:11:32 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jade Koskela <jkoskeladev@gmail.com>
In-Reply-To: <CAJgkd850xUPEdsVaGfV9y2H1D9K-rtS+s5Fn3U4ZmttcJFcBCA@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1504031709000.22210@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 3 Apr 2015, Jade Koskela wrote:
> Hello all,
>
> I would like to use gss_store_cred_into, or some similar method, to store a
> delegated TGT into the Windows LSA cache. I tried this using Kerberos API,
> GSSAPI, but wasn't successful. I also just tried kinit -c MSLSA:. In all
> cases, when the credential for the delegated user was stored in the LSA,
> the credential cache was purged of all of the tickets for the original
> user, and new tickets were stored.
> Is there any way to store tickets from multiple users in the LSA via
> Kerberos or GSSAPI?
To clarify slightly more on what was mentioned in IRC (and get the answer
in the archives), libkrb5 (and thus the GSS interfaces) assume that the
MSLSA: cache type can only contain credentials for one client principal at
a time. As such, trying to add new credentials using one of those
routines will have the effect of overwriting any existing credentials [for
a different client principal].
This restriction is probably not inherent to the Windows LSA itself, as
the KerbSubmitTicketMessage seems to allow submitting a ticket for a
different client principal, but I have not done any experimentation in
this area. (It is possible that software trying to use the LSA cache
would get very confused when presented this situation, for example.)
-Ben Kaduk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
