[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: S4U2self ticket does not have forwardable flag set

To: "Zeqing (Fred) Xia heimdal-discuss@sics.se," <fxia@juniper.net>, <heimdal-discuss@sics.se>
Subject: Re: S4U2self ticket does not have forwardable flag set
From: Gaurav Gupta <gagupta@cisco.com>
Date: Mon, 22 Oct 2007 19:24:41 -0700
Authentication-Results: sj-dkim-2; header.From=gagupta@cisco.com; dkim=pass (sig from cisco.com/sjdkim2002 verified; );
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2878; t=1193106310; x=1193970310;c=relaxed/simple; s=sjdkim2002;h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; i=gagupta@cisco.com;z=From:=20Gaurav=20Gupta=20<gagupta@cisco.com>|Subject:=20Re=3A=20S4U2self=20ticket=20does=20not=20have=20forwardable=20flag=20set|Sender:=20;bh=WaBsKz05j5JrK0A1yvzgjLIHS7ZIMeNV0m8hdtRXgt0=;b=gikqmKf/YVYhwnyr81mSH0hXYckaBgNSCDXuX5CY+0fVzU/UbyAFFu3yonSow2+Qdq18U44nrvW8UwV0yYzDyefWhnSHH4O7thzQLRcLJn/JzgaABAnyDg4zux5Q8KvL;
In-Reply-To: <61663514904A90488C38CE60FEDF67F404B3AF47@antitop.jnpr.net>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Gaurav Gupta <gagupta@cisco.com>
Thread-Index: AcgS4/2o6XshpixgQ46v90YLtFticgAA0E1kAI0nvd8=
Thread-Topic: S4U2self ticket does not have forwardable flag set
User-Agent: Microsoft-Entourage/11.3.3.061214



Fred, Try this command with the --forwardable flag e.g:

./kgetcred --delegation-credential-cache=/tmp/krb_user1 --forwardable
http/master.kerb.asglab.juniper.net

Gaurav

On 10/20/07 12:14 AM, "Zeqing (Fred) Xia" <fxia@juniper.net> wrote:

> 
> Here is the general process I tried. I have a test program of my own. But
> result is the same using standard Heimdal commands. Notice that the second
> ticket has ok-as-delegate set, but not forwardable.
> 
> Fred
> 
>  
> 
> 
>> ./kinit http/dev96vm26.asglab.juniper.net
> http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET's Password: XXXXX
> 
>> ./klist -v
> Credentials cache: FILE:/tmp/krb5cc_4523
>         Principal: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
>     Cache version: 4
> 
> Server: krbtgt/KERB.ASGLAB.JUNIPER.NET@KERB.ASGLAB.JUNIPER.NET
> Client: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> Ticket etype: arcfour-hmac-md5, kvno 2
> Ticket length: 1007
> Auth time:  Oct 20 00:03:13 2007
> End time:   Oct 20 10:03:13 2007
> Ticket flags: initial, pre-authenticated
> Addresses: addressless
> 
>> ./kgetcred --forwardable --impersonate=user1 --out-cache=/tmp/krb_user1
>> http/dev96vm26.asglab.juniper.net
>> ./klist -v --cache=/tmp/krb_user1
> Credentials cache: FILE:/tmp/krb_user1
>         Principal: user1@KERB.ASGLAB.JUNIPER.NET
>     Cache version: 4
> 
> Server: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> Client: user1@KERB.ASGLAB.JUNIPER.NET
> Ticket etype: des-cbc-md5, kvno 3
> Ticket length: 915
> Auth time:  Oct 20 00:03:13 2007
> Start time: Oct 20 00:03:58 2007
> End time:   Oct 20 10:03:13 2007
> Ticket flags: pre-authenticated, ok-as-delegate
> Addresses: addressless
> 
>> ./kgetcred --delegation-credential-cache=/tmp/krb_user1
>> http/master.kerb.asglab.juniper.net
> principal: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> delegate principal: user1@KERB.ASGLAB.JUNIPER.NET
> ccache: FILE:/tmp/krb_user1
> c name: http/dev96vm26.asglab.juniper.net@KERB.ASGLAB.JUNIPER.NET
> kgetcred: krb5_get_creds: KDC can't fulfill requested option
>> 
>> 
> 
> -----Original Message-----
> From: Zeqing (Fred) Xia
> Sent: Fri 10/19/2007 11:39 PM
> To: heimdal-discuss@sics.se
> Subject: S4U2self ticket does not have forwardable flag set
>  
> 
> Hi All,
> 
> According to this document
> 
> http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
> 
> The S4U2self ticket should have a forwardable flag set.
> 
> However when I tried to use Heimdal to get a S4U2self ticket, the ticket does
> not have forwardable flag set. I do have the account set to "Trust this user
> for delegation to any service" on AD server.
> 
> Does anyone have suggestions on where I should look into to solve this?
> 
> Thanks a lot.
> 
> 
> 
> Fred

Follow-Ups:
- Re: S4U2self ticket does not have forwardable flag set
  - From: Love Hörnquist Åstrand <lha@kth.se>

References:
- RE: S4U2self ticket does not have forwardable flag set
  - From: "Zeqing (Fred) Xia" <fxia@juniper.net>

Prev by Date: l Need Your Help
Next by Date: sleepycat db weirdie? heimdal 0.6.5 (yes, I know...) add_new_key "No such file or directory"
Prev by thread: Re: S4U2self ticket does not have forwardable flag set
Next by thread: Re: S4U2self ticket does not have forwardable flag set
Index(es):
- Date
- Thread