Skip Menu |
 

Date: Thu, 07 Oct 2004 16:43:43 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
To: krb5-bugs@mit.edu
Subject: KfW 2.6.5 fails to copy all the ticket flags for initial TGT from MS login
Download (untitled) / with headers
text/plain 2.2KiB
KfW-2.6.5.20040917 on Windows 2000 does not copy all the ticket flags
for the initial TGT. Only the the initial flag appears to get copied.

The MS klist shows 4 flags set: Forwardable, Preauth, Initial and Proxiable.
The MIT klist against the krb5cc shows only the initial.

A problem arises when GSSAPI tries to get a delegated credential.
It get the ticket but does not request a forwardable ticket. So the
ticket when forwarded is not forwardable as expected.

In fwd_tgt.c the forwardable bit is copied, and possibly turned off,
but never on.

161 kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
162
163 if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */
164 kdcoptions &= ~(KDC_OPT_FORWARDABLE);


MS klist shows:
C:\>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: b17783
DomainName: ANL.GOV♠
TargetDomainName: ANL.GOV♠
AltTargetDomainName: ANL.GOV♠
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:100:8048
StartTime: 10/7/2004 13:53:56
EndTime: 10/7/2004 23:53:56
RenewUntil: 10/14/2004 13:53:56
TimeSkew: 10/14/2004 13:53:56


MIT klist shows:
C:\Program Files\MIT\Kerberos\bin>klist -f
Ticket cache: API:krb5cc
Default principal: b17783@ANL.GOV

Valid starting Expires Service principal
10/07/04 13:53:57 10/07/04 23:53:56 krbtgt/KRB5.ANL.GOV@ANL.GOV
renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:53:56 10/07/04 23:53:56 krbtgt/ANL.GOV@ANL.GOV
renew until 10/14/04 13:53:56, Flags: I
10/07/04 13:54:54 10/07/04 23:53:56 afs/anl.gov@ANL.GOV
renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:53:57 10/07/04 23:53:56 host/deet22.ctd.anl.gov@KRB5.ANL.GOV
renew until 10/14/04 13:53:56, Flags: FRA
10/07/04 13:55:25 10/07/04 23:53:56 afs/anl.gov@ANL.GOV
Flags: A

Using kinit -f or Leash does get a ticket with the flags:

C:\Program Files\MIT\Kerberos\bin>klist -f
Ticket cache: API:krb5cc
Default principal: b17783@ANL.GOV

Valid starting Expires Service principal
10/07/04 15:50:00 10/08/04 01:50:00 krbtgt/ANL.GOV@ANL.GOV
Flags: FIA


--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
From: jaltman@mit.edu
Subject: CVS Commit
Fix the forced setting of the Initial Ticket Flag on Win2000 and
add the functionality to XP and 2003 SP1.


To generate a diff of this commit:



cvs diff -r5.146 -r5.147 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r5.32 -r5.33 krb5/src/lib/krb5/ccache/cc_mslsa.c