[37250] in Kerberos
impersonation issue, wrong principal
daemon@ATHENA.MIT.EDU (Martin Gee)
Thu Oct 8 09:11:13 2015
Date: Thu, 8 Oct 2015 13:10:34 +0000 (UTC)
From: Martin Gee <geemang_2000@yahoo.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Message-ID: <43557698.793909.1444309834810.JavaMail.yahoo@mail.yahoo.com>
MIME-Version: 1.0
Reply-To: Martin Gee <geemang_2000@yahoo.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Folks,
Would really appreciate some help with the following.
Krb5 Version: 1.13.2
Desc: I'm implementing constrained delegation. I've wiresharked what I believe is the issue. Issue: the TGS-REP->Client Name(Principal) on gss_init_sec_context is NOT using my impersonated user cred. I believe the problem shows itself in step #3 below where the Client Principal is using the gss_service_name NOT the gss_user_name.
Here is pseudo code.
Setup:/etc/krb5.conf & /etc/krb5.keytabNOTE: these have been confirmed to work with a GSS Java program
Code:// import_name thesegss_service_name ="host/centos.practice.com@PRACTICE.COM"; gss_user_name="user1@PRACTICE.COM";gss_host_name="HTTP@test1.practice.com";// credsservice_cred;user_cred;
// #1 build /tmp/ccache , create service_credgss_acquire_cred(&minor, gss_service_name,GSS_C_INDEFINITE, &mechset_krb5,GSS_C_INITIATE, &service_cred,NULL,&time_rec);// ProtocolAS-REQ Client Name: host/centos.practice.com Server Name: krbtgt/PRACTICE.COMAS-REP Client Name: host/centos.practice.com Ticket ->Realm: PRACTICE.COM ->Server Name: krbtgt/PRACTICE.COM
// #2 create impersonated user_credgss_acquire_cred_impersonate_name(minor,service_cred,gss_user_name,GSS_C_INDEFINITE,&mechset_krb5,GSS_C_INITIATE,&user_cred,NULL,&time_rec);// ProtocolAS-REQ padata->Ticket: krbtgt/PRACTICE.COM padata->PA-FOR-USER ->Client Name: user1 ->Realm: PRACTICE.COM -> S4U2Self Auth: Kerberos req-body->Server Name: host/centos.practice.com req-body->Realm: PRACTICE.COM AS-REP Client Realm: PRACTICE.COM Client Name: user1 Ticket -> Realm: PRACTICE.COM -> Server Name: host/centos.practice.com
// #3 Create context for imp user. gss_init_sec_context(&minor,user_cred, &initiator_context,gss_host_name, &mech_spnego,GSS_C_REPLAY_FLAG| GSS_C_SEQUENCE_FLAG| GSS_C_MUTUAL_FLAG| GSS_C_CONF_FLAG,GSS_C_INDEFINITE,NULL,&in_token,NULL, &out_token,NULL,&time_rec);// ProtocolAS-REQ padata->Ticket: krbtgt/PRACTICE.COM req-body->Server Name: http/test1.practice.com req-body->Realm: PRACTICE.COM AS-REP Client Name (Principal) : host/centos.practice.com ( I BELIEVE THIS SHOULD BE user1 instead ) Ticket: -> Realm: PRACTICE.COM -> Server Name: http/test1.practice.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
