[20134] in Kerberos_V5_Development
kcpytkt to copy a service ticket for client principal not matching
daemon@ATHENA.MIT.EDU (Josef Petermann)
Mon Jun 15 17:49:36 2020
From: Josef Petermann <josef.petermann@eoda.de>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Mon, 15 Jun 2020 21:28:09 +0000
Message-ID: <AM0PR0402MB378098378A2EE1D94E77E515FB9C0@AM0PR0402MB3780.eurprd04.prod.outlook.com>
Content-Language: de-DE
MIME-Version: 1.0
Cc: Alexander Kinz <alexander.kinz@eoda.de>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
Our goal is to spawn user sessions that have a service ticket for a third service without having to enter a password nor using unconstrained delegation. Let's assume the users come pre-authenticated and we only have their username.
We are using protocol transition and contrained delegation on Service A (rstudio-server@LAB.BIZ) to obtain a service ticket for Service B (HTTP/ip-172-20-0-118.lab.biz@LAB.BIZ) for User X (jpetermann).
# kinit -k -t /etc/httpd/rstudio-server.keytab rstudio-server@LAB.BIZ
# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: rstudio-server@LAB.BIZ
Valid starting Expires Service principal
15.06.2020 17:31:08 16.06.2020 03:31:08 krbtgt/LAB.BIZ@LAB.BIZ
erneuern bis 22.06.2020 17:31:08
# kvno -k /etc/httpd/rstudio-server.keytab -U jpetermann -P HTTP/ip-172-20-0-118.lab.biz@LAB.BIZ
HTTP/ip-172-20-0-118.lab.biz@LAB.BIZ: KVNO = 3, Schlüsseltabelleneintrag gültig
# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: rstudio-server@LAB.BIZ
Valid starting Expires Service principal
15.06.2020 17:31:08 16.06.2020 03:31:08 krbtgt/LAB.BIZ@LAB.BIZ
erneuern bis 22.06.2020 17:31:08
15.06.2020 17:31:43 16.06.2020 03:31:08 rstudio-server@LAB.BIZ
für Client jpetermann@LAB.BIZ, erneuern bis 22.06.2020 17:31:08
15.06.2020 17:31:43 16.06.2020 03:31:08 HTTP/ip-172-20-0-118.lab.biz@LAB.BIZ
Now we are trying to use kcpytkt to extract the service ticket for Service B for User X from the ccache of Service A. Unfortunately we are unable to extract a service ticket for a user that is not the default principal:
# kcpytkt -c /tmp/krb5cc_0 /home/jpetermann\@lab.biz/cache42
HTTP/ip-172-20-0-118@LAB.BIZHTTP/ip-172-20-0-118@LAB.BIZ: Matching credential not found while retrieving credentials
How can we get kcpytkt to match a credential not matching the default principal? Ideally, the solution would involve supplying the client principal as an additional command line argument to kcpytkt.
Is there maybe another way to provide a service ticket to the user's session?
Thanks and Regards,
Josef Petermann
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
