[38486] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Constrained Delegation error "KDC policy rejects request"

daemon@ATHENA.MIT.EDU (John Byrne)
Wed Feb 6 21:21:12 2019

MIME-Version: 1.0
In-Reply-To: <CAJDs90CPe+yYGcgu4Wn2jWBgaQ07TWNXuVQ2q76vze2ktPKowQ@mail.gmail.com>
From: John Byrne <jhnbyrn@gmail.com>
Date: Wed, 6 Feb 2019 21:20:49 -0500
Message-ID: <CAJDs90DvocsuOcwX9=aSpvYnu1ZPhp29HmctL6ZXMnDxyOqiGQ@mail.gmail.com>
To: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

I figured it out, and it's working for me now.

For anyone else who's having this issue, there are 2 separate things you
have to set up to allow an intermediate service to impersonate a user:

* the ok_to_auth_as_delegate flag (in kadmin)
* an access control list in ldap.

I wasn't sure if editing ldap directly was the best thing to do, but I
didn't know of any alternative, so I created an ldif file like this:

dn: krbPrincipalName=HTTP/www.example.com@EXAMPLE.COM,cn=EXAMPLE.COM
changetype: modify
add: krbAllowedToDelegateTo
krbAllowedToDelegateTo: HTTP/datastore.example.com

You might be able to guess your appropriate ldap dn name based on that
format, but I just found it by doing a search with ldapsearch for my top
level entry, dc=example,dc=com.

After adding the above ldif with ldapmodify, constrained delegation now
works nicely and I can turn it on and off for that intermediate service via
kadmin, using the ok_to_auth_as_delegate flag.

Thanks again to everyone who replied to my other threads on this!



On Wed, Feb 6, 2019 at 3:49 PM John Byrne <jhnbyrn@gmail.com> wrote:

> Hi,
> I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
> I'm trying to perform constrained delegation. However, I'm getting this
> error from the KDC when the intermediate service calls the step() function
> on the security context: "KDC policy rejects request"
> Here's the KDC log:
> Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) NOT_ALLOWED_TO_DELEGATE:
> authtime 0,  HTTP/www.example.com@EXAMPLE.COM for HTTP/
> datastore.example.com@EXAMPLE.COM, KDC policy rejects request
> I've set the "ok_to_auth_as_delegate" flag on the intermediate service
> principal HTTP/www.example.com, using kadmin.local (output of getprinc
> below).
> Is there something else I need to do to allow this?
> Thanks,
> John
> PS. here's the output of kadmin.local getprinc command for the
> intermediate service principal:
> kadmin.local:  getprinc HTTP/www.example.com
> Principal: HTTP/www.example.com@EXAMPLE.COM
> Expiration date: [never]
> Last password change: Wed Feb 06 14:58:41 EST 2019
> Password expiration date: [never]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Wed Feb 06 15:19:15 EST 2019 (root/admin@EXAMPLE.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 2, aes256-cts-hmac-sha1-96
> Key: vno 2, aes128-cts-hmac-sha1-96
> MKey: vno 1
Kerberos mailing list           Kerberos@mit.edu

home help back first fref pref prev next nref lref last post