[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: S4U2self ticket does not have forwardable flag set



Hello Gaurav,

Fred used Windows AD as an KDC and had not used the equvalent setting  
in "Users and Computers" administarion program.

Love


23 okt 2007 kl. 04.24 skrev Gaurav Gupta:

>
>
> Fred, Try this command with the --forwardable flag e.g:
>
> ./kgetcred --delegation-credential-cache=/tmp/krb_user1 --forwardable
> http/master.kerb.asglab.juniper.net
>
> Gaurav
>
> On 10/20/07 12:14 AM, "Zeqing (Fred) Xia" <fxia@juniper.net> wrote:
>
>>
>> Here is the general process I tried. I have a test program of my  
>> own. But
>> result is the same using standard Heimdal commands. Notice that  
>> the second
>> ticket has ok-as-delegate set, but not forwardable.
>>
>> Fred
>>
>>
>>
>>
>>> ./kinit http/dev96vm26.asglab.juniper.net
>> http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET's  
>> Password: XXXXX
>>
>>> ./klist -v
>> Credentials cache: FILE:/tmp/krb5cc_4523
>>         Principal: http/ 
>> dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
>>     Cache version: 4
>>
>> Server: krbtgt/KERB.ASGLAB.JUNIPER.NET@KERB.ASGLAB.JUNIPER.NET
>> Client: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
>> Ticket etype: arcfour-hmac-md5, kvno 2
>> Ticket length: 1007
>> Auth time:  Oct 20 00:03:13 2007
>> End time:   Oct 20 10:03:13 2007
>> Ticket flags: initial, pre-authenticated
>> Addresses: addressless
>>
>>> ./kgetcred --forwardable --impersonate=user1 --out-cache=/tmp/ 
>>> krb_user1
>>> http/dev96vm26.asglab.juniper.net
>>> ./klist -v --cache=/tmp/krb_user1
>> Credentials cache: FILE:/tmp/krb_user1
>>         Principal: user1@KERB.ASGLAB.JUNIPER.NET
>>     Cache version: 4
>>
>> Server: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
>> Client: user1@KERB.ASGLAB.JUNIPER.NET
>> Ticket etype: des-cbc-md5, kvno 3
>> Ticket length: 915
>> Auth time:  Oct 20 00:03:13 2007
>> Start time: Oct 20 00:03:58 2007
>> End time:   Oct 20 10:03:13 2007
>> Ticket flags: pre-authenticated, ok-as-delegate
>> Addresses: addressless
>>
>>> ./kgetcred --delegation-credential-cache=/tmp/krb_user1
>>> http/master.kerb.asglab.juniper.net
>> principal: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
>> delegate principal: user1@KERB.ASGLAB.JUNIPER.NET
>> ccache: FILE:/tmp/krb_user1
>> c name: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
>> kgetcred: krb5_get_creds: KDC can't fulfill requested option
>>>
>>>
>>
>> -----Original Message-----
>> From: Zeqing (Fred) Xia
>> Sent: Fri 10/19/2007 11:39 PM
>> To: heimdal-discuss@sics.se
>> Subject: S4U2self ticket does not have forwardable flag set
>>
>>
>> Hi All,
>>
>> According to this document
>>
>> http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
>>
>> The S4U2self ticket should have a forwardable flag set.
>>
>> However when I tried to use Heimdal to get a S4U2self ticket, the  
>> ticket does
>> not have forwardable flag set. I do have the account set to "Trust  
>> this user
>> for delegation to any service" on AD server.
>>
>> Does anyone have suggestions on where I should look into to solve  
>> this?
>>
>> Thanks a lot.
>>
>>
>>
>> Fred