[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition




>On 6/20/07 9:19 PM, "Love Hörnquist Åstrand" <lha@kth.se> wrote:
>> Step 3:
>> -------
>> $ ~/ws/krb-lib/heimdal-0.8.1/kuser/kgetcred
>> --delegation-credential-cache=FILE:/tmp/pt.cc --forwardable cifs/
>> cifs-server
>> 
>> I found that problem is that the KDCOptions in the KRB_REQ_BODY are
>> insufficient even with the --forwardable option. I had to hack the
>> code to
>> enable the 'Renewable', 'Constrained Delegation' and 'Canonicalize'
>> bits in
>> the KDCOptions to get it working. After this change, KDC gave me
>> the service
>> ticket to the cifs service on behalf of the impersonated user.
> 
> I only seem to need Constrained Delegation,

You are right, it should only need the Constrained Delegation bit. I did not
try it without the other options, so did not want to speculate.

>however, but there is the  confusion
> if its bit 14 or bit 16. bit 16 doesnt work, but bit 14 seems to be
> claimed for anonymous support...

Bit 14 defn works, I don't know what bit 16 is though. Newer versions of
wireshark (I am using (0.99.5) understands this bit and describes it as
'Constrained Delegation'. I checked RFC 4120 and it does not specify either.
Can you point me to some document that discuss one over the other.

Thanks,
Gaurav