kadmin is not involved with ticket renewal or delegation. more likely MacOSX GSSAPI implementation requests a forwardable TGT that is not renewable and then forwards that one to the remote server. It is not a bad idea to limit forwarded tickets that way.
Simo. On Thu, 2016-10-27 at 13:37 +0200, vm@c4k3.space wrote: > So far my attempt to ask it to the community :-) > But I think I finally managed to find the explanation. > So in case someone else ever has the same problem, searches why and > stumbles onto this page... > > The kadmin-protocol that differs between the heimdal-implementation used > in Mac OS and the MIT-implementation on linux seems to be the culprit. > > http://kerberos.996246.n3.nabble.com/Lion-problems-tc13877.html > > | > | Mar 12, 2012; 9:52pm Arthur Prokosch-2 Arthur Prokosch-2 > | ... > | We've wandered into Heimdal territory here and should probably switch > | to [hidden email] or discussions.apple.com. In the meantime: > | if anyone else has seen Mac OS 10.7 Heimdal tickets lose their > | Forwardable and Proxiable flags in the process of initiating GSSAPI > | ssh connections or has an explanation, I'd be quite interested to hear > | off-list. > | > | best, > | -arthur prokosch > | system administrator > | [1]MIT Computer Science and Artificial Intelligence Lab. > | ... > > > In the meantime I also tested it on MacOS Sierra. Problem is still > there. > > I don't know if there is any solution though. > > P.S. Anybody who confirms my hypothesis? > > > > vm@c4k3.space schreef op 2016-10-26 14:21: > > Hi, > > > > I hope I'm at the right place here for my issue. > > > > This is the case: > > > > > > On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket: > > > > --- > > macbook013:~ vm$ klist -v > > Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D > > Principal: v...@realm.com > > Cache version: 0 > > > > Server: krbtgt/realm....@realm.com > > Client: v...@realm.com > > Ticket etype: aes256-cts-hmac-sha1-96, kvno 1 > > Ticket length: 342 > > Auth time: Oct 26 13:55:09 2016 > > End time: Nov 25 12:55:05 2016 > > Renew till: Jan 26 12:55:05 2017 > > Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable, > > forwardable > > Addresses: addressless > > --- > > > > If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes) > > to a linux-server, the ticket there is not renewable anymore: > > > > --- > > macbook013:~ vm$ ssh linuxserver2 > > linuxserver2 ~ # klist -f > > Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000 > > Default principal: v...@realm.com > > > > Valid starting Expires Service principal > > 10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/realm....@realm.com > > Flags: FfPAT > > linuxserver2 ~ # krenew > > krenew: error renewing credentials: KDC can't fulfill requested > > option > > linuxserver2 ~ # kinit -R > > kinit: KDC can't fulfill requested option while renewing credentials > > --- > > > > If I do a kinit on linuxserver1 and get a renewable ticket there and > > ssh > > to linuxserver2, the forwarded ticket stays renewable. > > > > I guess it has something to do with the ssh-client on Mac OS X? (but > > copying the ssh_config from linuxserver1 to the macbook does not solve > > it. Copying the krb5.conf doesn't solve it either) > > Or should I search the cause in another direction? > > Maybe I'm missing something obvious. > > > > > > Thank you for thinking with me! > > > > VM > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
