Folks, Would really appreciate some help with the following. Krb5 Version: 1.13.2 Desc: I'm implementing constrained delegation. I've wiresharked what I believe is the issue. Issue: the TGS-REP->Client Name(Principal) on gss_init_sec_context is NOT using my impersonated user cred. I believe the problem shows itself in step #3 below where the Client Principal is using the gss_service_name NOT the gss_user_name. Here is pseudo code. Setup:/etc/krb5.conf & /etc/krb5.keytabNOTE: these have been confirmed to work with a GSS Java program Code:// import_name thesegss_service_name ="host/centos.practice....@practice.com"; gss_user_name="us...@practice.com";gss_host_name="h...@test1.practice.com";// credsservice_cred;user_cred; // #1 build /tmp/ccache , create service_credgss_acquire_cred(&minor, gss_service_name,GSS_C_INDEFINITE, &mechset_krb5,GSS_C_INITIATE, &service_cred,NULL,&time_rec);// ProtocolAS-REQ Client Name: host/centos.practice.com Server Name: krbtgt/PRACTICE.COMAS-REP Client Name: host/centos.practice.com Ticket ->Realm: PRACTICE.COM ->Server Name: krbtgt/PRACTICE.COM // #2 create impersonated user_credgss_acquire_cred_impersonate_name(minor,service_cred,gss_user_name,GSS_C_INDEFINITE,&mechset_krb5,GSS_C_INITIATE,&user_cred,NULL,&time_rec);// ProtocolAS-REQ padata->Ticket: krbtgt/PRACTICE.COM padata->PA-FOR-USER ->Client Name: user1 ->Realm: PRACTICE.COM -> S4U2Self Auth: Kerberos req-body->Server Name: host/centos.practice.com req-body->Realm: PRACTICE.COM AS-REP Client Realm: PRACTICE.COM Client Name: user1 Ticket -> Realm: PRACTICE.COM -> Server Name: host/centos.practice.com // #3 Create context for imp user. gss_init_sec_context(&minor,user_cred, &initiator_context,gss_host_name, &mech_spnego,GSS_C_REPLAY_FLAG| GSS_C_SEQUENCE_FLAG| GSS_C_MUTUAL_FLAG| GSS_C_CONF_FLAG,GSS_C_INDEFINITE,NULL,&in_token,NULL, &out_token,NULL,&time_rec);// ProtocolAS-REQ padata->Ticket: krbtgt/PRACTICE.COM req-body->Server Name: http/test1.practice.com req-body->Realm: PRACTICE.COM AS-REP Client Name (Principal) : host/centos.practice.com ( I BELIEVE THIS SHOULD BE user1 instead ) Ticket: -> Realm: PRACTICE.COM -> Server Name: http/test1.practice.com
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
