[16081] in Kerberos-V5-bugs
[krbdev.mit.edu #8714] klist doesn't display LSA TGTs
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Jul 16 12:36:10 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8714@krbdev.mit.edu>
Message-ID: <rt-8714-48714.5.43368792164252@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8714'":;
Date: Mon, 16 Jul 2018 12:36:03 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Unless HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey is set (and this may not operate in recent
versions of Windows 10), klist will silently omit TGTs when
displaying an MSLSA ccache.
Leash gets around this by setting the KRB5_TC_NOTICKET flag on the
cache. This flag causes cc_mslsa.c to construct the creds structure
based solely on the KERB_TICKET_CACHE_INFO_EX2 metadata, and to
ignore the session key being all zeros. The resulting cred structure
does not contain an encoded ticket. I am not sure whether it would
be possible to retrieve the encoded ticket for a TGT in the LSA (that
is, does a KerbRetrieveEncodedTicketMessage
LsaCallAuthenticationPackage() call fail for these entries) or if all
we really needed to do was ignore the zeroed session key.
klist examines the decoded if the -e flag is specified, to get the
enctype of the ticket. It also displays the ticket field for config
entries. I am not sure whether storing config entries in an MSLSA
ccache works.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs