[16081] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8714] klist doesn't display LSA TGTs

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Jul 16 12:36:10 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8714@krbdev.mit.edu>
Message-ID: <rt-8714-48714.5.43368792164252@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8714'":;
Date: Mon, 16 Jul 2018 12:36:03 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

Unless HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos 
AllowTGTSessionKey is set (and this may not operate in recent 
versions of Windows 10), klist will silently omit TGTs when 
displaying an MSLSA ccache.

Leash gets around this by setting the KRB5_TC_NOTICKET flag on the 
cache.  This flag causes cc_mslsa.c to construct the creds structure 
based solely on the KERB_TICKET_CACHE_INFO_EX2 metadata, and to 
ignore the session key being all zeros.  The resulting cred structure 
does not contain an encoded ticket.  I am not sure whether it would 
be possible to retrieve the encoded ticket for a TGT in the LSA (that 
is, does a KerbRetrieveEncodedTicketMessage 
LsaCallAuthenticationPackage() call fail for these entries) or if all 
we really needed to do was ignore the zeroed session key.

klist examines the decoded if the -e flag is specified, to get the 
enctype of the ticket.  It also displays the ticket field for config 
entries.  I am not sure whether storing config entries in an MSLSA 
ccache works.

krb5-bugs mailing list

home help back first fref pref prev next nref lref last post