Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id C38F13E677; Mon, 25 Apr 2011 14:48:30 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p3PImUit019662; Mon, 25 Apr 2011 14:48:30 -0400 Received: from mailhub-dmz-1.mit.edu (MAILHUB-DMZ-1.MIT.EDU [18.9.21.41]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p3PI587t009965 for ; Mon, 25 Apr 2011 14:05:08 -0400 Received: from dmz-mailsec-scanner-3.mit.edu (DMZ-MAILSEC-SCANNER-3.MIT.EDU [18.9.25.14]) by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id p3PI4dxV012724 for ; Mon, 25 Apr 2011 14:05:08 -0400 X-Auditid: 1209190e-b7c80ae0000047dd-6c-4db5b7db9b9d Authentication-Results: symauth.service.identifier Received: from sh9.exchange.ms (sh9.exchange.ms [64.71.238.92]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 5C.EF.18397.BD7B5BD4; Mon, 25 Apr 2011 14:05:15 -0400 (EDT) Received: from outbound.mse3.exchange.ms (unknown [10.0.25.203]) by sh9.exchange.ms (Postfix) with ESMTP id 92170ACF1C for ; Mon, 25 Apr 2011 13:57:23 -0400 (EDT) X-Mimeole: Produced By Microsoft Exchange V6.5 X-CR-Puzzleid: {F894D924-93CB-4B4D-9316-BEEF501DF31A} MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-CR-Hashedpuzzle: AszG Cids DmhY EX+C Eg0G E1wo FZF7 FoM3 G++2 H7oR ICPi Jboz JtNQ KA6L KLFM KiKc; 1; awByAGIANQAtAGIAdQBnAHMAQABtAGkAdAAuAGUAZAB1AA==; Sosha1_v1; 7; {F894D924-93CB-4B4D-9316-BEEF501DF31A}; YQBiAGUAcgByAHkAQABsAGkAawBlAHcAaQBzAGUALgBjAG8AbQA=; Mon, 25 Apr 2011 17:57:14 GMT; UgBFADoAIABbAGsAcgBiAGQAZQB2AC4AbQBpAHQALgBlAGQAdQAgACMANgA5ADAAMgBdACAAUwA0AFUAIABpAG0AcABlAHIAcwBvAG4AYQB0AGUAZAAgAGMAcgBlAGQAZQBuAHQAaQBhAGwAIABLAFIAQgA1AF8AQwBDAF8ATgBPAFQAXwBGAE8AVQBOAEQA Content-Class: urn:content-classes:message Date: Mon, 25 Apr 2011 13:57:14 -0400 Message-ID: <23447137FA0DAA4D95EF535FF356BE46064565FA@mse3be2.mse3.exchange.ms> In-Reply-To: X-MS-Has-Attach: X-MS-Tnef-Correlator: Thread-Topic: [krbdev.mit.edu #6902] S4U impersonated credential KRB5_CC_NOT_FOUND Thread-Index: AcwDXX/wdeMQ9cS+TMKmZTNjK0Ya7wAD2STQ References: From: "Arlene Berry" To: X-Mailstreet-Mailscanner-ID: 92170ACF1C.E7F84 X-Mailstreet-Mailscanner: Found to be clean Subject: RE: [krbdev.mit.edu #6902] S4U impersonated credential KRB5_CC_NOT_FOUND X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprCJsWRWlGSWpSXmKPExsXi4P4uRvf29q2+BksPiVk0PDzO7sDo0XTm KHMAYxSXTUpqTmZZapG+XQJXxrMt35gLpnJWfJu7lK2B8SB7FyMnh4SAicTbo2/AbEYBI4nd 516xQsTFJC7cW8/WxcjFISRwglFizoL7LBDOTkaJ9mnPobr1JJYtnsICYZtKdK78xghi8woI Spyc+QQozsHBDFTTthEszCygLbFs4WtmkDkSAneYJa4d+MkOkdCSOHKpCayIRUBV4v2lbmaI Of4St/susIHYnAI2Et/37WKD2CUosWj2HmaYS//tesgGsktEIFhiz12wB0SAnjl/9xaYLSQQ IvF28V8wmw1o1bVtO9ghasQlnqxvhxqpK/Fu1ReokdoSm57MAKsXFgiUaD3VyDqBUXIWks9m IXw2C8lns5A8s4CRZRWjbEpulW5uYmZOcWqybnFyYl5eapGusV5uZoleakrpJkZgBApxSvLt YPx6UOkQowAHoxIPL0/NVl8h1sSy4srcQ4ySHExKorxNW4FCfEn5KZUZicUZ8UWlOanFhxgl OJiVRHi9rYFyvCmJlVWpRfkwKWkOFiVx3pmS6r5CAumJJanZqakFqUUwWSYO9kOMMhwcShK8 37YBdQsWpaanVqRl5pQgq+EEEVwga3iA1miDFPIWFyTmFmemQxSdYjTmOH56xn5GjjtHZ+9n FGLJy89LlRLndQWmRiEBkNKM0jy4kbDEeolRVkqYl5GBgUGIB+gmYFCgyr9iFAcGgzDvJ5CF PJl5JXD7XgGdwgR0io8Y2CkliQgpqQbGpPJDnYwaK2+kfdlla3Cw4PGsw2xXSoP+6NU1bFvX p77XqvePj1bMtB+L/zQ4O996pCs/seRrhvZnt9Jl/YxWt25Gdc3N3bvlV9yS7/6bzzQm/5aI qZhsYLSLxflX/RKnfrYJj6+5GHfdV153Rv3GEnnXSbLxB+XsIvr3b4799S46ZZGPbkuCEktx RqKhFnNRcSIAL0F97acDAAA= Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id p3PI587t009965 X-Mailman-Approved-At: Mon, 25 Apr 2011 14:48:28 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 1157 When doing S4U2PROXY, first you get a TGT for yourself. Then you call gss_acquire_cred_impersonate_name which gets you what it essentially a TGT for the identity you're impersonating. It's this credential which has an incorrect end time. Next you use this impersonated credential to call gss_init_sec_context for the service you want to contact as the impersonated identity and pass in the impersonated credential. Gss_init_sec_context uses the impersonated credential to fetch a service ticket for the service you're contacting. When it does that it has to first find the impersonated credential in the credentials cache which fails because the end time doesn't match. I reproduced this with some enhanced GSS sample programs but you should be able to do it with kvno also. I get three credentials in my cache, one which is my original TGT, one for myself for the impersonated user, and one for the target service for the impersonated user. Both of the credentials for the impersonated user have the shorter lifetime and it's the second one, the one for myself, which it fails to find in the credentials cache when attempting to get the third one.