[20498] in Kerberos_V5_Development
S4U2Proxy
daemon@ATHENA.MIT.EDU (Rajbir Chahal via krbdev)
Mon Aug 12 17:23:43 2024
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Mon, 12 Aug 2024 15:21:05 +0000
Message-ID: <SJ0PR10MB5744049246FB3224D9FD94DE82852@SJ0PR10MB5744.namprd10.prod.outlook.com>
Content-Language: en-US
MIME-Version: 1.0
From: Rajbir Chahal via krbdev <krbdev@mit.edu>
Reply-To: Rajbir Chahal <rajbir.chahal@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hello,
I am using a sample program to test S4U2Proxy functionality. KDC is setup to use the default KDB module, db2.
On calling krb5_get_credentials_for_proxy(), the MIT KDC returns error
'-1765328371/KDC can't fulfill requested option'.
krb5kdc.log has log message -
Aug 02 16:15:40 phoenix535877 krb5kdc[389029](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 100.70.104.158: UNSUPPORTED_S4U2PROXY_REQUEST: authtime 1722614569,
cdbsvc2X/phx98444.dev3sub2phx.com@TESTMITKDC.SECTEST2024.COM
for cdbdst1/phx98444.dev3sub2phx.com@TESTMITKDC.SECTEST2024.COM,
KDC can't fulfill requested option
In KDC, krb5_db_allowed_to_delegate_from() returns KRB5_PLUGIN_OP_NOTSUPP because 'v->allowed_to_delegate_from == NULL'.
Is S4U2Proxy not supported by default KDB module (db2)?
thanks,
Rajbir
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev