RT RT/krbdev.mit.edu: Ticket #2735 KfW 2.6.5 fails to copy all the ticket flags for initial TGT from MS login Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
2735
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Version_reported
  • 1.3.5
Version_Fixed
  • 1.3.6
Target_Version
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Thu Oct 7 17:45:49 2004
Starts: Not set
Started: Thu Oct 7 23:57:49 2004
Last Contact: Thu Oct 7 23:57:53 2004
Due: Not set
Updated: Thu Oct 7 23:58:27 2004 by jaltman
 

 People  
Owner
 jaltman
Requestors
 DEEngert@anl.gov
Cc
 
AdminCc
 
 

 More about DEEngert@anl.gov  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Thu Oct  7 17:45:50 2004  DEEngert@anl.gov - Ticket created    
      
Date: Thu, 07 Oct 2004 16:43:43 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
To: krb5-bugs@mit.edu
Subject: KfW 2.6.5 fails to copy all the ticket flags for initial TGT from MS login

KfW-2.6.5.20040917 on Windows 2000 does not copy all the ticket flags
for the initial TGT. Only the the initial flag appears to get copied.

The MS klist shows 4 flags set: Forwardable, Preauth, Initial and Proxiable.
The MIT klist against the krb5cc shows only the initial.

A problem arises when GSSAPI tries to get a delegated credential.
It get the ticket but does not request a forwardable ticket. So the
ticket when forwarded is not forwardable as expected.

In fwd_tgt.c the forwardable bit is copied, and possibly turned off,
but never on.

    161      kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
    162
    163      if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */
    164        kdcoptions &= ~(KDC_OPT_FORWARDABLE);


MS klist shows:
C:\>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: b17783
DomainName: ANL.GOV♠
TargetDomainName: ANL.GOV♠
AltTargetDomainName: ANL.GOV♠
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:100:8048
StartTime: 10/7/2004 13:53:56
EndTime: 10/7/2004 23:53:56
RenewUntil: 10/14/2004 13:53:56
TimeSkew: 10/14/2004 13:53:56


MIT klist shows:
C:\Program Files\MIT\Kerberos\bin>klist -f
Ticket cache: API:krb5cc
Default principal: b17783@ANL.GOV

Valid starting     Expires            Service principal
10/07/04 13:53:57  10/07/04 23:53:56  krbtgt/KRB5.ANL.GOV@ANL.GOV
         renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:53:56  10/07/04 23:53:56  krbtgt/ANL.GOV@ANL.GOV
         renew until 10/14/04 13:53:56, Flags: I
10/07/04 13:54:54  10/07/04 23:53:56  afs/anl.gov@ANL.GOV
         renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:53:57  10/07/04 23:53:56  host/deet22.ctd.anl.gov@KRB5.ANL.GOV
         renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:55:25  10/07/04 23:53:56  afs/anl.gov@ANL.GOV
         Flags: A

Using kinit -f or Leash does get a ticket with the flags:

C:\Program Files\MIT\Kerberos\bin>klist -f
Ticket cache: API:krb5cc
Default principal: b17783@ANL.GOV

Valid starting     Expires            Service principal
10/07/04 15:50:00  10/08/04 01:50:00  krbtgt/ANL.GOV@ANL.GOV
         Flags: FIA


--

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Download (untitled) 2.2k
      Thu Oct  7 23:57:50 2004  jaltman - Status changed from new to resolved    
      Thu Oct  7 23:57:50 2004  jaltman - Given to jaltman    
      Thu Oct  7 23:57:51 2004  jaltman - Correspondence added    
      
From: jaltman@mit.edu
Subject: CVS Commit

Fix the forced setting of the Initial Ticket Flag on Win2000 and
add the functionality to XP and 2003 SP1.


To generate a diff of this commit:



	cvs diff -r5.146 -r5.147 krb5/src/lib/krb5/ccache/ChangeLog
	cvs diff -r5.32 -r5.33 krb5/src/lib/krb5/ccache/cc_mslsa.c

Download (untitled) 268b
      Thu Oct  7 23:58:25 2004  jaltman - Component krb5-libs added    
      Thu Oct  7 23:58:26 2004  jaltman - Version_reported 1.3.5 added    
      Thu Oct  7 23:58:26 2004  jaltman - Version_Fixed 1.3.6 added    
      Thu Oct  7 23:58:27 2004  jaltman - Tags pullup added