[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition

To: Love Hörnquist Åstrand<lha@kth.se>, <heimdal-discuss@sics.se>
Subject: Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition
From: Gaurav Gupta <gagupta@cisco.com>
Date: Wed, 20 Jun 2007 10:00:37 -0700
Authentication-Results: sj-dkim-5; header.From=gagupta@cisco.com; dkim=pass (sig from cisco.com/sjdkim5002 verified; );
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2412; t=1182367419; x=1183231419;c=relaxed/simple; s=sjdkim5002;h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; i=gagupta@cisco.com;z=From:=20Gaurav=20Gupta=20<gagupta@cisco.com>|Subject:=20Re=3A=20KRB5KRB_AP_ERR_MODIFIED=20during=20protocol=20transition|Sender:=20;bh=BsWgbVf1VkuCbzFwjMALE00erDZzdsFb9wR+DClLyqM=;b=QK9+b7ee7Eqz2rJjKDMtV3QDprVro5wGMbDJPpVa56eHwZcddPxL8dXugRWcYCG13K8vXqF8NtWRv8sKebx9mNlurkmdM7t+nB/sfmCb37Za7Xk1ZISrtftBmg5cxQqq;
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Gaurav Gupta <gagupta@cisco.com>
Thread-Index: AcezXIYCxElrTR9PEdy8EQAZ4zdn7A==
Thread-Topic: KRB5KRB_AP_ERR_MODIFIED during protocol transition
User-Agent: Microsoft-Entourage/11.3.3.061214

Inline...

> On 6/19/07 3:06 AM, "Love Hörnquist Åstrand" <lha@kth.se> wrote:
> 
> 18 jun 2007 kl. 22.42 skrev Gaurav Gupta:
> 
>> 
>> I am trying to do Protocol Transition using the Heimdal-0.8 library
>> implementation.
>> I am using the following command to initiate protocol transition:
>> kgetcred --impersonate=<user> <service>
> 
> Not yet with windows, but lets start with this obvjous patch which
> gets us out a little but futher.
> 
> Love
> 
> 
> Index: misc.c
> ===================================================================
> --- misc.c (revision 21030)
> +++ misc.c (working copy)
> @@ -51,6 +51,7 @@
> krb5_clear_error_string(context);
> return ENOMEM;
>       }
> +    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
>       ret = krb5_store_int32(sp, self->name.name_type);
>       if (ret)
> goto out;

Thanks a ton... Your patch was very helpful. I error went away after
changing the byte order to Little-Endian. I could now complete the
S4U2Self step (i.e. Getting the service ticket to 'self' from the KDC).

Steps 1 & 2:
------------

$ ~/ws/krb-lib/heimdal-0.8.1/kuser/kinit -- forwardable
delegate@some.domain.com

(Note: For me it was important to use the --forwardable flag to get the TGT,
otherwise KDC returns an error KRB5KDC_ERR_BADOPTION in Step 3)

$ ~/ws/krb-lib/heimdal-0.8.1/kuser/kgetcred --out-cache=FILE:/tmp/pt.cc
--forwardable --impersonate=impersonate.some.domain.com
delegate@some.domain.com

But now it fails on the S4U2Proxy step i.e. when I use this S4U2Self ticket
to request a service ticket for a delegated service. I would get an error
KRB5KDC_ERR_BADOPTION back from the KDC. The command used is:

Step 3:
-------
$ ~/ws/krb-lib/heimdal-0.8.1/kuser/kgetcred
--delegation-credential-cache=FILE:/tmp/pt.cc --forwardable cifs/cifs-server

I found that problem is that the KDCOptions in the KRB_REQ_BODY are
insufficient even with the --forwardable option. I had to hack the code to
enable the 'Renewable', 'Constrained Delegation' and 'Canonicalize' bits in
the KDCOptions to get it working. After this change, KDC gave me the service
ticket to the cifs service on behalf of the impersonated user.

Thanks,
Gaurav

Follow-Ups:
- Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: ksu
Next by Date: Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition
Prev by thread: Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition
Next by thread: Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition
Index(es):
- Date
- Thread