Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id RAA08700; Thu, 7 Oct 2004 17:45:45 -0400 (EDT) Received: from pch.mit.edu (localhost [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i97LjjZZ014811 for ; Thu, 7 Oct 2004 17:45:45 -0400 (EDT) Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i97LjhZZ014807 for ; Thu, 7 Oct 2004 17:45:43 -0400 (EDT) Received: from hermes.ctd.anl.gov (hermes.ctd.anl.gov [130.202.113.27]) i97Ljfap018434 for ; Thu, 7 Oct 2004 17:45:41 -0400 (EDT) Received: from hermes.ctd.anl.gov (localhost [127.0.0.1]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id QAA00822 for ; Thu, 7 Oct 2004 16:45:41 -0500 (CDT) Received: from [127.0.0.1] (atalanta.ctd.anl.gov [146.137.194.4]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id QAA00818 for ; Thu, 7 Oct 2004 16:45:40 -0500 (CDT) Message-Id: <4165B88F.8070606@anl.gov> Date: Thu, 07 Oct 2004 16:43:43 -0500 From: "Douglas E. Engert" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: krb5-bugs@mit.edu Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-BY: MIMEDefang 2.42 Subject: KfW 2.6.5 fails to copy all the ticket flags for initial TGT from MS login X-Beenthere: krb5-bugs-incoming@mit.edu X-Mailman-Version: 2.1 Precedence: list Sender: krb5-bugs-incoming-bounces@mit.edu Errors-To: krb5-bugs-incoming-bounces@mit.edu Content-Length: 2294 KfW-2.6.5.20040917 on Windows 2000 does not copy all the ticket flags for the initial TGT. Only the the initial flag appears to get copied. The MS klist shows 4 flags set: Forwardable, Preauth, Initial and Proxiable. The MIT klist against the krb5cc shows only the initial. A problem arises when GSSAPI tries to get a delegated credential. It get the ticket but does not request a forwardable ticket. So the ticket when forwarded is not forwardable as expected. In fwd_tgt.c the forwardable bit is copied, and possibly turned off, but never on. 161 kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED; 162 163 if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */ 164 kdcoptions &= ~(KDC_OPT_FORWARDABLE); MS klist shows: C:\>klist tgt Cached TGT: ServiceName: krbtgt TargetName: krbtgt FullServiceName: b17783 DomainName: ANL.GOV♠ TargetDomainName: ANL.GOV♠ AltTargetDomainName: ANL.GOV♠ TicketFlags: 0x40e00000 KeyExpirationTime: 256/0/29920 0:100:8048 StartTime: 10/7/2004 13:53:56 EndTime: 10/7/2004 23:53:56 RenewUntil: 10/14/2004 13:53:56 TimeSkew: 10/14/2004 13:53:56 MIT klist shows: C:\Program Files\MIT\Kerberos\bin>klist -f Ticket cache: API:krb5cc Default principal: b17783@ANL.GOV Valid starting Expires Service principal 10/07/04 13:53:57 10/07/04 23:53:56 krbtgt/KRB5.ANL.GOV@ANL.GOV renew until 10/14/04 13:53:56, Flags: FRA 10/07/04 13:53:56 10/07/04 23:53:56 krbtgt/ANL.GOV@ANL.GOV renew until 10/14/04 13:53:56, Flags: I 10/07/04 13:54:54 10/07/04 23:53:56 afs/anl.gov@ANL.GOV renew until 10/14/04 13:53:56, Flags: FRA 10/07/04 13:53:57 10/07/04 23:53:56 host/deet22.ctd.anl.gov@KRB5.ANL.GOV renew until 10/14/04 13:53:56, Flags: FRA 10/07/04 13:55:25 10/07/04 23:53:56 afs/anl.gov@ANL.GOV Flags: A Using kinit -f or Leash does get a ticket with the flags: C:\Program Files\MIT\Kerberos\bin>klist -f Ticket cache: API:krb5cc Default principal: b17783@ANL.GOV Valid starting Expires Service principal 10/07/04 15:50:00 10/08/04 01:50:00 krbtgt/ANL.GOV@ANL.GOV Flags: FIA -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444