help needed for testing s4u constrained delegation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

help needed for testing s4u constrained delegation

Santosh Kumar
Testing the constrained delagation, to fetch service ticket on behalf of
user

could anyone please help where to look to debug logs, what are
prerequisites to use this?


I downloaded and compiled on linux host, updated /etc/krb5.conf and
/etc/hosts , anything missing.


setup:
Domain1: EXCHSRV2016.COM                       [kcduser - delegate user]
Child Domain1: CHILD1.EXCHSRV2016.COM  [ newuser  - enduser]


[santosh@archjeergi gssapi]$ pwd

/home/santosh/opensource/krb5-1.15.3/src/tests/gssapi
[santosh@archjeergi gssapi]$ ./t_s4u p:[hidden email]
p:http/win2k12r2.exchsrv2016.com ./keytabfile.keytab

gss_acquire_cred: Unspecified GSS failure.  Minor code may provide more
information

gss_acquire_cred: No Kerberos credentials available (default cache:
FILE:/tmp/krb5cc_1000)

/etc/krb5.conf

[libdefaults]

 default_realm = EXCHSRV2016.COM

 forwardable = true


[realms]

 EXCHSRV2016.COM = {

  kdc = ad2k12.exchsrv2016.com:88

  kpasswd_server = 10.209.114.213

  default_domain = exchsrv2016.com

 }


[domain_realm]

 .exchsrv2016.com = EXCHSRV2016.COM

 exchsrv2016.com = EXCHSRV2016.COM


Generated keytab where exchange server is hosted as below:
[image: image.png]


Thanks much
Santosh

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: help needed for testing s4u constrained delegation

Greg Hudson
On 06/12/2018 12:35 PM, Santosh Kumar wrote:
> Testing the constrained delagation, to fetch service ticket on behalf of
> user
>
> could anyone please help where to look to debug logs, what are
> prerequisites to use this?

Our mailing list gateway does not pass through HTML, attachments, or
images, so I think the screen shot of you acquiring the keytab didn't
make it.

In your transcript I don't see you running kinit as mentioned in the
usage comment in t_s4u.c.  You need a TGT for the intermediate service
in order to perform an S4U2Proxy operation.

If you set the environment variable KRB5_TRACE to a filename or to
/dev/stdout, you can see information about the underlying libkrb5
operations performed by the GSS operations.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos