[38468] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Confusion about delegation

daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Feb 1 23:12:47 2019

Date: Fri, 1 Feb 2019 22:12:29 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: John Byrne <jhnbyrn@gmail.com>
Message-ID: <20190202041229.GZ93251@kduck.mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAJDs90DraXuPqC29TXsuFfyeFOSyeRthfu-fse64NvGmAukY5g@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Fri, Feb 01, 2019 at 02:54:39PM -0500, John Byrne wrote:
> Thanks, this helps a lot.
> I think the reason it appeared to be working for me when I used the wrong
> name HTTP/www.example.com is because I incorrectly had that principal in
> the keytab of the other service. An in the second case, where I omitted the
> creds altogether, you are correct, it just authenticated as HTTP/
> www.example.com and not kerbtestjohn.
> So, I have set ok_to_auth_as_delegate in my KDC for the intermediate
> service principal HTTP/www.example.com, but now I'm getting this error on
> the step() call:
> Feb 01 14:47:14 localhost.localdomain krb5kdc[6376](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) NOT_ALLOWED_TO_DELEGATE:
> authtime 0,  HTTP/www.example.com@EXAMPLE.COM for HTTP/
> datastore.example.com@EXAMPLE.COM, Plugin does not support the operation
> I couldn't find any info on this, but I did some reading in the source code
> and it looks like the necessary function 'check_allowed_to_delegate' is
> only defined for the ldap plugin. Have I got that right - I have to use
> ldap to get this feature to work with the krb5 server? Or is there another
> way?

The only in-tree module that supports constrained elegation, yes.  (At
least one out-of-tree module also exists, though presumably you would
already know if that was one you wanted.)

Kerberos mailing list           Kerberos@mit.edu

home help back first fref pref prev next nref lref last post