Hi,
I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
I'm trying to perform constrained delegation. However, I'm getting this
error from the KDC when the intermediate service calls the step() function
on the security context: "KDC policy rejects request"
Here's the KDC log:
Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
authtime 0, HTTP/www.example....@example.com for HTTP/
datastore.example....@example.com, KDC policy rejects request
I've set the "ok_to_auth_as_delegate" flag on the intermediate service
principal HTTP/www.example.com, using kadmin.local (output of getprinc
below).
Is there something else I need to do to allow this?
Thanks,
John
PS. here's the output of kadmin.local getprinc command for the intermediate
service principal:
kadmin.local: getprinc HTTP/www.example.com
Principal: HTTP/www.example....@example.com
Expiration date: [never]
Last password change: Wed Feb 06 14:58:41 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Feb 06 15:19:15 EST 2019 (root/ad...@example.com)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: OK_TO_AUTH_AS_DELEGATE
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
