[19897] in Kerberos_V5_Development
Re: About proxy_impersonator
daemon@ATHENA.MIT.EDU (Weijun Wang)
Mon Feb 25 02:59:30 2019
MIME-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Weijun Wang <weijun.wang@oracle.com>
In-Reply-To: <d198d15e-35ea-3c88-f074-9bd34482925f@mit.edu>
Date: Mon, 25 Feb 2019 15:59:00 +0800
Message-ID: <D3B0F052-8F71-4844-98FC-7F074BF9EDDF@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> On Feb 20, 2019, at 6:53 AM, Greg Hudson <ghudson@mit.edu> wrote:
>
> On 2/16/19 2:28 AM, Weijun Wang wrote:
>> Suppose there is only one process, is the intermediate server also forbidden to get a ticket to a backend server on its own?
>
> If a caller uses an impersonator credential with gss_init_sec_context(),
> the GSSAPI layer will always try to make an S4U2Proxy request, not a
> regular TGS request.
I see. So my understanding is that this defines a new kind of default credential. It used to be only user -> krbtgt, but it can be also a service -> krbtgt, plus user -> service, and this special proxy_impersonator flag.
BTW, a customer sent me this ccache file:
> Default principal: user@EXAMPLE.COM
>
> #1 Service Principal: service/host.example.com@EXAMPLE.COM
> Client Principal: user@EXAMPLE.COM
> #2 Service Principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> Client Principal: service/host.example.com@EXAMPLE.COM
>
> and
>
> krb5_ccache_conf_data.proxy_impersonator.<no princiapl>
> Value: service/host.example.com@EXAMPLE.COM
So gss_init_sec_context() is called using the default credential, it should
1) notice there is a proxy_impersonator
2) find a TGT matching the service name at #2
3) find the proxy credential matching the service name at #1
4) request ticket to any other service using #2 with #1 as the second ticket
Does the default principal of this ccache file matter? Should #1 always have the same client principal as it?
Thanks,
Max
>
> The same caller may have previously acquired a cred handle which it used
> to produce the impersonator cred (either with gss_accept_sec_context()
> or gss_acquire_cred_impersonate_name()). That cred could be used to get
> a ticket to another server with a regular TGS request.
>
>> Is this true for any GSS_C_BOTH credential?
>
> No, the GSS_C_BOTH usage is orthogonal. Impersonator credentials are
> typically GSS_C_INITIATE, and a GSS_C_BOTH credential which is not an
> impersonator cred can be used to make regular TGS requests.
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
