[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: S4U2self ticket does not have forwardable flag set

Hello Fred,

Check the test script tests/kdc/check-kdc.in for all test cases.

I belive you are missing "kadmin modify --constranied-delegation=http/ 
master.kerb.asglab.juniper.net http/dev96vm26.asglab.juniper.net"

or something like this. Note that in pre heimdal-1.0.2RC2 multiple -- 
constranied-delegation overwrite the previous entry.
In 1.0.2RC2 this is still true, but you can give multiple flags on  
the same argument line.

Love




20 okt 2007 kl. 09.14 skrev Zeqing (Fred) Xia:

>
> Here is the general process I tried. I have a test program of my  
> own. But result is the same using standard Heimdal commands. Notice  
> that the second ticket has ok-as-delegate set, but not forwardable.
>
> Fred
>
>
>
>
>> ./kinit http/dev96vm26.asglab.juniper.net
> http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET's  
> Password: XXXXX
>
>> ./klist -v
> Credentials cache: FILE:/tmp/krb5cc_4523
>         Principal: http/ 
> dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
>     Cache version: 4
>
> Server: krbtgt/KERB.ASGLAB.JUNIPER.NET@KERB.ASGLAB.JUNIPER.NET
> Client: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> Ticket etype: arcfour-hmac-md5, kvno 2
> Ticket length: 1007
> Auth time:  Oct 20 00:03:13 2007
> End time:   Oct 20 10:03:13 2007
> Ticket flags: initial, pre-authenticated
> Addresses: addressless
>
>> ./kgetcred --forwardable --impersonate=user1 --out-cache=/tmp/ 
>> krb_user1 http/dev96vm26.asglab.juniper.net
>> ./klist -v --cache=/tmp/krb_user1
> Credentials cache: FILE:/tmp/krb_user1
>         Principal: user1@KERB.ASGLAB.JUNIPER.NET
>     Cache version: 4
>
> Server: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> Client: user1@KERB.ASGLAB.JUNIPER.NET
> Ticket etype: des-cbc-md5, kvno 3
> Ticket length: 915
> Auth time:  Oct 20 00:03:13 2007
> Start time: Oct 20 00:03:58 2007
> End time:   Oct 20 10:03:13 2007
> Ticket flags: pre-authenticated, ok-as-delegate
> Addresses: addressless
>
>> ./kgetcred --delegation-credential-cache=/tmp/krb_user1 http/ 
>> master.kerb.asglab.juniper.net
> principal: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> delegate principal: user1@KERB.ASGLAB.JUNIPER.NET
> ccache: FILE:/tmp/krb_user1
> c name: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> kgetcred: krb5_get_creds: KDC can't fulfill requested option
>>
>>
>
> -----Original Message-----
> From: Zeqing (Fred) Xia
> Sent: Fri 10/19/2007 11:39 PM
> To: heimdal-discuss@sics.se
> Subject: S4U2self ticket does not have forwardable flag set
>
>
> Hi All,
>
> According to this document
>
> http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
>
> The S4U2self ticket should have a forwardable flag set.
>
> However when I tried to use Heimdal to get a S4U2self ticket, the  
> ticket does not have forwardable flag set. I do have the account  
> set to "Trust this user for delegation to any service" on AD server.
>
> Does anyone have suggestions on where I should look into to solve  
> this?
>
> Thanks a lot.
>
>
>
> Fred
>
>