[11965] in Kerberos-V5-bugs
[krbdev.mit.edu #6902] S4U impersonated credential KRB5_CC_NOT_FOUND
daemon@ATHENA.MIT.EDU (Arlene Berry" via RT)
Fri Apr 15 16:01:42 2011
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: ""Arlene Berry" via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6902@krbdev.mit.edu>
Message-ID: <rt-6902-33985.11.9690501649345@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6902'":;"'AdminCc of krbdev.mit.edu Ticket #6902'":;@MIT.EDU
Date: Fri, 15 Apr 2011 16:01:32 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
Content-Type: multipart/mixed; boundary="===============1856494424=="
Errors-To: krb5-bugs-bounces@mit.edu
--===============1856494424==
When using Active Directory you can set the lifetime for TGTs and service tickets to be different. It turns out that an impersonated TGT is subject to the service ticket lifetime setting. Gss_init_sec_context is reporting KRB5_CC_NOT_FOUND in this case. It turns out that when the in-memory version of the impersonated TGT is created by kg_compose_deleg_cred, its expiration is being set to the expiration of the original TGT used to obtain the impersonated TGT and not to the end time of the impersonated TGT. When gss_init_sec_context searches for the impersonated TGT in the cache, the search fails because it is matching on the wrong end time. This fixed it for us:
Index: src/lib/gssapi/krb5/s4u_gss_glue.c
===================================================================
--- src/lib/gssapi/krb5/s4u_gss_glue.c (revision 24877)
+++ src/lib/gssapi/krb5/s4u_gss_glue.c (working copy)
@@ -218,7 +218,7 @@
cred->usage = GSS_C_INITIATE;
cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
- cred->tgt_expire = impersonator_cred->tgt_expire;
+ cred->tgt_expire = subject_creds->times.endtime;
code = kg_init_name(context, subject_creds->client, NULL, NULL, NULL, 0,
&cred->name);
Arlene Berry
Software Design Engineer
Likewise Software, Inc.
T 425.378.7887 x220 F 425.484.6316 E aberry@likewise.com
15395 SE 30th Place, Suite 140
Bellevue, WA 98007
www.likewise.com
--===============1856494424==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
--===============1856494424==--
