Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id CF7143E6E7; Fri, 15 Apr 2011 16:01:31 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p3FK1VML018752; Fri, 15 Apr 2011 16:01:31 -0400 Received: from mailhub-dmz-1.mit.edu (MAILHUB-DMZ-1.MIT.EDU [18.9.21.41]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p3F0toNP029391 for ; Thu, 14 Apr 2011 20:55:50 -0400 Received: from dmz-mailsec-scanner-4.mit.edu (DMZ-MAILSEC-SCANNER-4.MIT.EDU [18.9.25.15]) by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id p3F0tisR018575 for ; Thu, 14 Apr 2011 20:55:50 -0400 X-Auditid: 1209190f-b7cf3ae0000046b8-87-4da797935f5c Authentication-Results: symauth.service.identifier Received: from sh11.exchange.ms (sh11.exchange.ms [64.71.238.96]) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 39.BF.18104.39797AD4; Thu, 14 Apr 2011 20:55:47 -0400 (EDT) Received: from outbound.mse3.exchange.ms (unknown [10.0.25.203]) by sh11.exchange.ms (Postfix) with ESMTP id 1CDF9AC6EB for ; Thu, 14 Apr 2011 20:40:04 -0400 (EDT) X-Mimeole: Produced By Microsoft Exchange V6.5 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: S4U impersonated credential KRB5_CC_NOT_FOUND Date: Thu, 14 Apr 2011 20:55:13 -0400 Message-ID: <23447137FA0DAA4D95EF535FF356BE46063CDDF0@mse3be2.mse3.exchange.ms> X-MS-Has-Attach: X-MS-Tnef-Correlator: Thread-Topic: S4U impersonated credential KRB5_CC_NOT_FOUND Thread-Index: Acv7B8dl65XXaM8/S822o73cKQmtYA== From: "Arlene Berry" To: X-Mailstreet-Mailscanner-ID: 1CDF9AC6EB.2D245 X-Mailstreet-Mailscanner: Found to be clean X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrDKsWRWlGSWpSXmKPExsXi4P4uQXfy9OW+BqcmG1k0PDzO7sDo0XTm KHMAYxSXTUpqTmZZapG+XQJXxuRzq5kLOngrVjdfZmxgfM3VxcjJISFgIrHn+XI2EJtRwEhi 97lXrBBxMYkL99YDxbk4hAROMUqs+/KAGSQhJLCLUeLiFzaIIj2JZYunsIDYzAJaEkcuNTGC 2LwCghInZz6BihtI3D/UwQpha0ssW/gabI6wgJnE9+ZjQHM4OFgEVCV2npCGaPWXmPnvDzPE eEGJRbP3MMPc82/XQ7ByEQFriYMXq0DCIkAXnH3ewA5iswFdcG3bDnaIuLjEk/XtYOUSAroS hx/qQEzRltj0ZAbrBEbRWUhunoXk5llIbp6F5OYFjCyrGGVTcqt0cxMzc4pTk3WLkxPz8lKL dE30cjNL9FJTSjcxAqNDiFOSfwfjt4NKhxgFOBiVeHjPyC33FWJNLCuuzD3EKMnBpCTKKwuM LSG+pPyUyozE4oz4otKc1OJDjBIczEoivL2vlvkK8aYkVlalFuXDpKQ5WJTEeWdJqvsKCaQn lqRmp6YWpBbBZJk42A8xynBwKEnwPp0GNFmwKDU9tSItM6cEWQ0niOACWcMDtKYApJC3uCAx tzgzHaLoFKMux5qf7/cxCrHk5eelSonzngYpEgApyijNgxsGS3SXGGWlhHkZGRgYhHiArgEG Aqr8K0ZxYAAI834GmcKTmVcCt+kV0BFMQEfcbAA7oiQRISXVwGg38+LZiqhXZZMeeNlsvXRN vfDb4f4qw7+fz+8yVNpTcK6+p6a0PDZDNk1T06/y0sJ/3LFKrHv2NwT/nWn9csvDPVF7OMs6 JxW8mXngAkOKw8k6/luJPQrJCctKa0+IXbjYdLjEUvpcRk3RZM6F0xT3X5qezv1in/HKlrPF D2s/RId4TJOwvaHEUpyRaKjFXFScCAD0+v1DbwMAAA== Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id p3F0toNP029391 X-Mailman-Approved-At: Fri, 15 Apr 2011 15:50:39 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1457 When using Active Directory you can set the lifetime for TGTs and service tickets to be different. It turns out that an impersonated TGT is subject to the service ticket lifetime setting. Gss_init_sec_context is reporting KRB5_CC_NOT_FOUND in this case. It turns out that when the in-memory version of the impersonated TGT is created by kg_compose_deleg_cred, its expiration is being set to the expiration of the original TGT used to obtain the impersonated TGT and not to the end time of the impersonated TGT. When gss_init_sec_context searches for the impersonated TGT in the cache, the search fails because it is matching on the wrong end time. This fixed it for us: Index: src/lib/gssapi/krb5/s4u_gss_glue.c =================================================================== --- src/lib/gssapi/krb5/s4u_gss_glue.c (revision 24877) +++ src/lib/gssapi/krb5/s4u_gss_glue.c (working copy) @@ -218,7 +218,7 @@ cred->usage = GSS_C_INITIATE; cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE); - cred->tgt_expire = impersonator_cred->tgt_expire; + cred->tgt_expire = subject_creds->times.endtime; code = kg_init_name(context, subject_creds->client, NULL, NULL, NULL, 0, &cred->name); Arlene Berry Software Design Engineer Likewise Software, Inc. T 425.378.7887 x220 F 425.484.6316 E aberry@likewise.com   15395 SE 30th Place, Suite 140 Bellevue, WA 98007 www.likewise.com