[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: S4U2self ticket does not have forwardable flag set

To: <heimdal-discuss@sics.se>, "Zeqing (Fred) Xia" <fxia@juniper.net>, <heimdal-discuss@sics.se>
Subject: RE: S4U2self ticket does not have forwardable flag set
From: "Zeqing (Fred) Xia" <fxia@juniper.net>
Date: Sat, 20 Oct 2007 00:14:52 -0700
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <61663514904A90488C38CE60FEDF67F404B3AF46@antitop.jnpr.net>
Reply-To: heimdal-discuss@sics.se, "Zeqing (Fred) Xia" <fxia@juniper.net>
Thread-Index: AcgS4/2o6XshpixgQ46v90YLtFticgAA0E1k
Thread-Topic: S4U2self ticket does not have forwardable flag set


Here is the general process I tried. I have a test program of my own. But result is the same using standard Heimdal commands. Notice that the second ticket has ok-as-delegate set, but not forwardable.

Fred

 


> ./kinit http/dev96vm26.asglab.juniper.net
http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET's Password: XXXXX

> ./klist -v
Credentials cache: FILE:/tmp/krb5cc_4523
        Principal: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
    Cache version: 4

Server: krbtgt/KERB.ASGLAB.JUNIPER.NET@KERB.ASGLAB.JUNIPER.NET
Client: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
Ticket etype: arcfour-hmac-md5, kvno 2
Ticket length: 1007
Auth time:  Oct 20 00:03:13 2007
End time:   Oct 20 10:03:13 2007
Ticket flags: initial, pre-authenticated
Addresses: addressless

> ./kgetcred --forwardable --impersonate=user1 --out-cache=/tmp/krb_user1 http/dev96vm26.asglab.juniper.net
> ./klist -v --cache=/tmp/krb_user1
Credentials cache: FILE:/tmp/krb_user1
        Principal: user1@KERB.ASGLAB.JUNIPER.NET
    Cache version: 4

Server: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
Client: user1@KERB.ASGLAB.JUNIPER.NET
Ticket etype: des-cbc-md5, kvno 3
Ticket length: 915
Auth time:  Oct 20 00:03:13 2007
Start time: Oct 20 00:03:58 2007
End time:   Oct 20 10:03:13 2007
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: addressless

> ./kgetcred --delegation-credential-cache=/tmp/krb_user1 http/master.kerb.asglab.juniper.net
principal: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
delegate principal: user1@KERB.ASGLAB.JUNIPER.NET
ccache: FILE:/tmp/krb_user1
c name: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
kgetcred: krb5_get_creds: KDC can't fulfill requested option
> 
> 

-----Original Message-----
From: Zeqing (Fred) Xia
Sent: Fri 10/19/2007 11:39 PM
To: heimdal-discuss@sics.se
Subject: S4U2self ticket does not have forwardable flag set
 

Hi All,

According to this document

http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

The S4U2self ticket should have a forwardable flag set.

However when I tried to use Heimdal to get a S4U2self ticket, the ticket does not have forwardable flag set. I do have the account set to "Trust this user for delegation to any service" on AD server.

Does anyone have suggestions on where I should look into to solve this?

Thanks a lot.



Fred

Follow-Ups:
- Re: S4U2self ticket does not have forwardable flag set
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: S4U2self ticket does not have forwardable flag set
  - From: Gaurav Gupta <gagupta@cisco.com>

References:
- S4U2self ticket does not have forwardable flag set
  - From: "Zeqing (Fred) Xia" <fxia@juniper.net>

Prev by Date: S4U2self ticket does not have forwardable flag set
Next by Date: Re: S4U2self ticket does not have forwardable flag set
Prev by thread: S4U2self ticket does not have forwardable flag set
Next by thread: Re: S4U2self ticket does not have forwardable flag set
Index(es):
- Date
- Thread