[38247] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: Question about TGT forwarding

daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Jun 1 16:31:17 2018

X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kerberos@mit.edu
To: Jason Edgecombe <jwedgeco@uncc.edu>, Kerberos List <kerberos@mit.edu>
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Message-ID: <01606615-1ed3-eef9-2f52-16806ab4485e@secure-endpoints.com>
Date: Fri, 1 Jun 2018 16:30:57 -0400
MIME-Version: 1.0
In-Reply-To: <CAAR6MGBixWyjUpoV5X0eEaJxPg2P+8gXktHNy5m3TU71mk_J5Q@mail.gmail.com>
Content-Type: multipart/mixed; boundary="===============6333022501271299945=="
Errors-To: kerberos-bounces@mit.edu

This is a cryptographically signed message in MIME format.

--===============6333022501271299945==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
	micalg=sha-256; boundary="------------ms030702050805090700030800"

This is a cryptographically signed message in MIME format.

--------------ms030702050805090700030800
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 5/31/2018 4:50 PM, Jason Edgecombe wrote:
> Hi everyone,
>=20
> We're noticing some odd behavior on our Windows clients where the Windo=
ws
> clients are not forwarding the TGT to our Linux servers. People can log=
in
> to the Linux servers from windows clients, but "klist" shows no tickets=

> after login. Linux clients forward the TGT just fine. In case it matter=
s,
> we just moved our Linux home directories from a NAS with Kerberized SMB=
 to
> a Linux NFS server with Kerberized NFS.

There are aspects of this post that make no sense to me.

You say that everything worked fine a few weeks ago and you imply that
the only change that was made was a transition from SMB to NFS for home
directories.

You also imply but do not explicitly state that the Windows clients are
Active Directory domain joined machines and the end users logged into
those systems using a domain account with either a password or smart card=
=2E

There is no obvious connection between the replacement of the home
directory file system storage mounted by the linux workstation and
the failure of SSH GSS-API + Credential Delegation between the windows
client and the linux workstation.

  windows   ---->    linux          ---->   home directory
  client             workstation            storage

Clearly there is more to this story that you are failing to describe.

> I've had to disable GSSAPI authentication in openssh so that windows
> users can still get tickets on the remote end.

Without GSSAPI authentication there is no possibility of delegation but
you did not specify that the OpenSSH server was configured to request
delegation.

Nor was it specified what SSH client is being used on Windows and how it
is configured.  Is it even attempting to delegate?

Does the SSH client use the Windows Kerberos SSP or does it relying upon
MIT Kerberos or Heimdal for GSS-API support?

Nor were any details provided about the ticket flags on the client's TGT.=


> I have a disagreement with our AD guru on whether or not TGTs are expec=
ted
> to be forwarded and if that is a security risk.=20

TGT forwarding is a security risk.  The question is under which
circumstances is the practice an acceptable risk.

As has been pointed out by another list member, the Windows domain
provides finer grained control over credential delegation than is
supported by MIT Kerberos or Heimdal.  The domain administrator can
whitelist service principals to which the Windows client is permitted to
delegate.

Jeffrey Altman





--------------ms030702050805090700030800
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DJowggYBMIIE6aADAgECAhBAAV7gKbDFpPivxsU6EhRkMA0GCSqGSIb3DQEBCwUAMDoxCzAJ
BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEy
MB4XDTE3MTAwMzAyNTYyMloXDTE4MTEwMzAyNTYyMlowgZUxNTAzBgNVBAsMLFZlcmlmaWVk
IEVtYWlsOiBqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMSswKQYJKoZIhvcNAQkBFhxq
YWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMS8wLQYKCZImiZPyLGQBARMfQTAxNDI3RDAw
MDAwMTVFRTAyOUIwOTIwMDAwNEE5NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALpgG/C51O3zapzhIdBOsKH0PmK2nqGhbOFzCiwwqURDwbET4ILOdU3Uc155z1fkkDt6/MQJ
3969umj/0F6cuT5KdtvOQH6eikKFxNiBocfLtGkfLaDFQZvrJee/bawtg6xkF/Hjw649VtN8
C1qHPjjfp4u0MNeOywIdNEgFgJy63UX+gywYQ+1qK1eamHaJgBYjOZ8qQ3NU6mSPgT8M3a4v
oXtcBSRGvgYQbQYBVvoZdtUqPJWcoO6lwgVFzSZEo2Ou8oydclHY80aEb7QohC4duhQYKkXz
VkIDz/D67BQlmBDyyvR66454WDmUtTOIBMUXIsUnoU+bNjl+bUS41V8CAwEAAaOCAqUwggKh
MA4GA1UdDwEB/wQEAwIFoDCBhAYIKwYBBQUHAQEEeDB2MDAGCCsGAQUFBzABhiRodHRwOi8v
Y29tbWVyY2lhbC5vY3NwLmlkZW50cnVzdC5jb20wQgYIKwYBBQUHMAKGNmh0dHA6Ly92YWxp
ZGF0aW9uLmlkZW50cnVzdC5jb20vY2VydHMvdHJ1c3RpZGNhYTEyLnA3YzAfBgNVHSMEGDAW
gBSkc9rvaTWKdcygGXsIMvhrieRC7DAJBgNVHRMEAjAAMIIBLAYDVR0gBIIBIzCCAR8wggEb
BgtghkgBhvkvAAYLATCCAQowSgYIKwYBBQUHAgEWPmh0dHBzOi8vc2VjdXJlLmlkZW50cnVz
dC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMIG7BggrBgEFBQcCAjCB
rhqBq1RoaXMgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBoYXMgYmVlbiBpc3N1ZWQgaW4gYWNjb3Jk
YW5jZSB3aXRoIApJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3Vu
ZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kv
dHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vdmFsaWRhdGlvbi5pZGVu
dHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTIuY3JsMCcGA1UdEQQgMB6BHGphbHRtYW5Ac2Vj
dXJlLWVuZHBvaW50cy5jb20wHQYDVR0OBBYEFJgpPx67Np89CdTdsL6PmKYTU7oLMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAUjLmnRWHzITd
tcuK46OdoqNnsPAg9cislmDitvmTEPjMdvetOotdK9EqfJ0LWVcCHqd5RCQTJT4yuBOkjPU1
fjA8uDoB9JVwtn/4+oFDghgJnepKiOMC6c9TBjHkT7lBulLnlLfSBFfUP9K+6FnWHqitCQOf
RDb4ggryiAhgBzVQOff8rj7iY3+kJ7hqN6ivHuppcJQOaA2m/OxG08N0QPh7vi3M9tNj2Lr0
tPaTkX4jiiQ3TdYN7TwdFKy7OYA51dnv+B/veq9PY6ef+jtPsVFC6sEQk3/b/+ajRyA6BYRY
HubWn0cYpe2DHE2dWOskfxuO3co7jiLGkqUfFQGgjzCCBpEwggR5oAMCAQICEQD53lZ/yU0M
d3D5YBtS2hU7MA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVu
VHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMTAeFw0xNTAy
MTgyMjI1MTlaFw0yMzAyMTgyMjI1MTlaMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVu
VHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0ZFNPM8KJzSSrkvpmtQla3ksT+fq1s9c+Ea3YSC/umUkygSm9UkkOoaoNjKZ
oCx3wef1kwC4pQQV2XHk+AKR+7uMvnOCIw2cAVUP0/Kuy4X6miqaXGGVDTqwVjaFuFCRVVDT
QoI2BTMpwFQi+O/TjD5+E0+TAZbkzsB7krk4YUbA6hFyT0YboxRUq9M2QHDb+80w53b1UZVO
1HS2Mfk9LnINeyzjxiXU/iENK07YvjBOxbY/ftAYPbv/9cY3wrpqZYHoXZc6B9/8+aVCNA45
FP3k+YuTDC+ZrmePQBLQJWnyS/QrZEdXsaieWUqkUMxPQKTExArCiP61YRYlOIMpKwIDAQAB
o4ICgDCCAnwwgYkGCCsGAQUFBwEBBH0wezAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNp
YWwub2NzcC5pZGVudHJ1c3QuY29tMEcGCCsGAQUFBzAChjtodHRwOi8vdmFsaWRhdGlvbi5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2NvbW1lcmNpYWxyb290Y2ExLnA3YzAfBgNVHSMEGDAWgBTt
RBnA0/AGi+6ke75C5yZUyI42djAPBgNVHRMBAf8EBTADAQH/MIIBIAYDVR0gBIIBFzCCARMw
ggEPBgRVHSAAMIIBBTCCAQEGCCsGAQUFBwICMIH0MEUWPmh0dHBzOi8vc2VjdXJlLmlkZW50
cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMAMCAQEagapUaGlz
IFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4gaXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0
aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRw
czovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXgu
aHRtbDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29t
L2NybC9jb21tZXJjaWFscm9vdGNhMS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
BwMEMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUpHPa72k1inXMoBl7CDL4a4nkQuwwDQYJ
KoZIhvcNAQELBQADggIBAA3hgq7S+/TrYxl+D7ExI1Rdgq8fC9kiT7ofWlSaK/IMjgjoDfBb
PGWvzdkmbSgYgXo8GxuAon9+HLIjNv68BgUmbIjwj/SYaVz6chA25XZdjxzKk+hUkqCmfOn/
twQJeRfxHg3I+0Sfwp5xs10YF0RobhrsCRne6OUmh9mph0fE3b21k90OVnx9Hfr+YAV4ISrT
A6045zQTKGzb370whliPLFo+hNL6XzEty5hfdFaWKtHIfpE994CLmTJI4SEbWq40d7TpAjCm
KCPIVPq/+9GqggGvtakM5K3VXNc9VtKPU9xYGCTDIYoeVBQ65JsdsdyM4PzDzAdINsv4vaF7
yE03nh2jLV7XAkcqad9vS4EB4hKjFFsmcwxa+ACUfkVWtBaWBqN4f/o1thsFJHEAu4Q6oRB6
mYkzqrPigPazF2rgYw3lp0B1gSzCRj+jRtErIVdMPeZ2p5Fdx7SNhBtabuhqmpJkFxwW9SBg
6sHvy0HpzVvEiBpApFKG1ZHXMwzQl+pR8P27wWDsblJU7Qgb8ZzGRK9l5GOFhxtN+oXZ4CCm
unLMtaZ2vSai7du/VKrg64GGZNAKerEBevjJVNFgeSnmUK9GB4kCZ7U5NWlU+2H87scntW4Q
/0Y6vqQJcJeaMHg/dQnahTQ2p+hB1xJJK32GWIAucTFMSOKLbQHadIOiMYIDFDCCAxACAQEw
TjA6MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVzdElE
IENBIEExMgIQQAFe4CmwxaT4r8bFOhIUZDANBglghkgBZQMEAgEFAKCCAZcwGAYJKoZIhvcN
AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwNjAxMjAzMDU3WjAvBgkqhkiG
9w0BCQQxIgQgmlpqkoTA71dqbzARt+wJGIMgiayfmcewYSMSWD3mNFowXQYJKwYBBAGCNxAE
MVAwTjA6MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVz
dElEIENBIEExMgIQQAFe4CmwxaT4r8bFOhIUZDBfBgsqhkiG9w0BCRACCzFQoE4wOjELMAkG
A1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUGA1UEAxMOVHJ1c3RJRCBDQSBBMTIC
EEABXuApsMWk+K/GxToSFGQwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZI
AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr
DgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQCjLscH/BWgES4duldfdxVf
/m0r+eTgnZ2cxvQY9ZXePeQOwJmWWyI+GkPO9cT3A22yHA3UVoNSa/jXpKoAGhkHudXD0xUK
9v6NO4P4HL3+McHCylmtRUK+Uob/F3OpmVPy7x85jYK5J2kp8Y1qvSkrUmMJhuO97ByDFNF1
LbOn+s2YfyNQT3V4Q3ji0V/5mZa8k9/cRvlB5vHq57WEyRfIuPJKiD/iouNsD+DAuhxJ3PBJ
4hDTn/1u6ZqF1zMbaYxLl0/IH7fWN8KRsXNlaDhkqb/cagq2P7BdSDC1nqjbwJZaBptz7Ziy
DIj+XBnlZZbuAPP5jI+qI7Jz5ic+yev8AAAAAAAA
--------------ms030702050805090700030800--


--===============6333022501271299945==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============6333022501271299945==--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[38247] in Kerberos

Re: Question about TGT forwarding

daemon@ATHENA.MIT.EDU (Jeffrey Altman)Fri Jun 1 16:31:17 2018

daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Jun 1 16:31:17 2018
