[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition


> On 6/19/07 3:06 AM, "Love Hörnquist Åstrand" <lha@kth.se> wrote:
> 18 jun 2007 kl. 22.42 skrev Gaurav Gupta:
>> I am trying to do Protocol Transition using the Heimdal-0.8 library
>> implementation.
>> I am using the following command to initiate protocol transition:
>> kgetcred --impersonate=<user> <service>
> Not yet with windows, but lets start with this obvjous patch which
> gets us out a little but futher.
> Love
> Index: misc.c
> ===================================================================
> --- misc.c (revision 21030)
> +++ misc.c (working copy)
> @@ -51,6 +51,7 @@
> krb5_clear_error_string(context);
> return ENOMEM;
>       }
> +    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
>       ret = krb5_store_int32(sp, self->name.name_type);
>       if (ret)
> goto out;

Thanks a ton... Your patch was very helpful. I error went away after
changing the byte order to Little-Endian. I could now complete the
S4U2Self step (i.e. Getting the service ticket to 'self' from the KDC).

Steps 1 & 2:

$ ~/ws/krb-lib/heimdal-0.8.1/kuser/kinit -- forwardable

(Note: For me it was important to use the --forwardable flag to get the TGT,
otherwise KDC returns an error KRB5KDC_ERR_BADOPTION in Step 3)

$ ~/ws/krb-lib/heimdal-0.8.1/kuser/kgetcred --out-cache=FILE:/tmp/pt.cc
--forwardable --impersonate=impersonate.some.domain.com

But now it fails on the S4U2Proxy step i.e. when I use this S4U2Self ticket
to request a service ticket for a delegated service. I would get an error
KRB5KDC_ERR_BADOPTION back from the KDC. The command used is:

Step 3:
$ ~/ws/krb-lib/heimdal-0.8.1/kuser/kgetcred
--delegation-credential-cache=FILE:/tmp/pt.cc --forwardable cifs/cifs-server

I found that problem is that the KDCOptions in the KRB_REQ_BODY are
insufficient even with the --forwardable option. I had to hack the code to
enable the 'Renewable', 'Constrained Delegation' and 'Canonicalize' bits in
the KDCOptions to get it working. After this change, KDC gave me the service
ticket to the cifs service on behalf of the impersonated user.