Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

finlandia:~> apropos win win: nothing appropriate.

devel / comp.protocols.kerberos / cross-realm delegation via attempted RBCD fails with KRB5KRB_AP_ERR_ILL_CR_TKT

SubjectAuthor
o cross-realm delegation via attempted RBCD fails withJacob Shivers

1
cross-realm delegation via attempted RBCD fails with KRB5KRB_AP_ERR_ILL_CR_TKT

<mailman.35.1648480147.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=228&group=comp.protocols.kerberos#228

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jshiv...@redhat.com (Jacob Shivers)
Newsgroups: comp.protocols.kerberos
Subject: cross-realm delegation via attempted RBCD fails with
KRB5KRB_AP_ERR_ILL_CR_TKT
Date: Mon, 28 Mar 2022 11:08:08 -0400
Organization: TNet Consulting
Lines: 107
Message-ID: <mailman.35.1648480147.8148.kerberos@mit.edu>
References: <CALe0_74tVEcMaEX3yRYpVWzzLmXmRUqDkKMt28hguDAoxWej4w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="21216"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=CUd7e5zX7nJV9uxvfYjZXtiqPoExLLjqAjGGSqeBjksZyY33F995UfRUYP31p2Xzogq8mOl4EMXOcw/0qL2SGlAMuHxrOpA/22tSHDxl5rFchfwYArmi76aXuLvTIa0aJnu+bMWwH3MybOWjnbou03FD3ys1JJCDfV/RCwGVAw8/thlyR9OIPPsbCpJRCHQQbfg2wFk1zNseCmcWuSuDKT3kM+xMevOWvB+Vr+1k49JcOCP8Jd/WcfDRwJpeQ9qQ/l2KSigiJQuFT12zZKcwt4AHr6v2ngyJOuWCOwok+yb7GAWdAi1E+BDgYt6R+66XKjypnfhlouqKXQ+0Qz89Ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=fpzEtExcS3/wFeIiqOEC0Nrqdiehhzv9nJijNYH0ezs=;
b=W52AnrlvbMxSwNMETHLHjsGBR2S4azrxh1UHewaDhyua2GZW9Ah3DAcpoD/B2MWCe9VLP0jYkVxG/jotlh/txhf4fXaRu4EYKVKHKNUDGswkyzVzBYVWQnolDomH791tLQSIi+bRKpS3NNnpg+39IqcVo4GcC5ZsY8D8P/uzuW0Q1SjUkZ7SqQpjp/FPYxcXoWbMgVikkrhdcSD2Q4SjbVghYnjludyjjuwKP4gOrezZa+ri07FDqpnN6T4eR8JmDZ7VgVuJlVl/VnkAsVQDRM0bq5EM2rHApmDbT0kf08fbduCefrOr3MQpwioPJubJ1DyE9TBqnovngDGhOTwOag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.129.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com;
dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com;
dkim=pass (signature was verified) header.d=redhat.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=fpzEtExcS3/wFeIiqOEC0Nrqdiehhzv9nJijNYH0ezs=;
b=cG+adi69rDHgOr6SMf8WeZpqm7GriU87DL7glm3BaKhrfQLntsfQ8YGxn+adjJqwOVcxHbJ9FwZItRVazF2jMg1h6lpAh4IFmBSfjhCz3/z2f6HRX3HKoJLygiXFOlVKOC5qJQgv8I+TBDndGI8mIRIuHIewjoC0r/G9y78pDC8=
Authentication-Results: spf=pass (sender IP is 170.10.129.124)
smtp.mailfrom=redhat.com; dkim=pass (signature was verified)
header.d=redhat.com;dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.129.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1648480130;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type;
bh=fpzEtExcS3/wFeIiqOEC0Nrqdiehhzv9nJijNYH0ezs=;
b=ilvGFSJ3fFdPkv1FN9q82FoKWHWutnMZ2gzbqY1S48zx8VgLMUgxwcuipP3m1h3RG6jlM+
KD+RzQvy4rwA7aE+u1mDV2zl/Rk58ege1CcWNvVB0TB8391Fzh0rl386TaFUksThWHOfF4
MzohZ4UVmpTVZL25EP0X3v4U4ZI1wJw=
X-MC-Unique: bSFj6WdNPsepg7wLKapTvA-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=fpzEtExcS3/wFeIiqOEC0Nrqdiehhzv9nJijNYH0ezs=;
b=kjc3X++rGPXzsyHVDlgSO7EH4wjHGY1MjSp1RVvrDqmOZ4Xb2KQ+vLxWSP7vUane3K
42geBocYXOwPMGSuoRQjAlIAU/aSouRswcJaEj9ITDw+jdCOFxXgkAS0vGTVQUNiGp49
RQgREmDGlhHhMuBULITApG1ruhsvbOd4RBhUu1BK36WH4h4pM36OANyucsfUEtSLbzwD
wA0sryUcuzKcn/HkREEbvSchu5DpAhHs+HbTUkaLOambCvdWFcl/r8dRmAFoS0a8cOoA
2TFJQIZBjYWlVBT9NCUCk5U64kALs61ND8M5Jkrh9KqKjkA7fO52xEuSl/xaEAApUNDY
NAag==
X-Gm-Message-State: AOAM533/dR5iF90sGSq0LZq0lYGvAqRD/ALZ+V1tmRkDzfUGHwaShRv8
MoFsls+Lw4t7WqfCytpLM16jXZVhuL4qRV05D0tbK7G0Gc2OwM91SXNy7BSbDJxr37m6fiIGIbT
0EJcFK4tJtFiQ5TGUvMKZ7kZh
X-Received: by 2002:a63:af47:0:b0:398:4be1:ce1d with SMTP id
s7-20020a63af47000000b003984be1ce1dmr4521457pgo.514.1648480124250;
Mon, 28 Mar 2022 08:08:44 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyFG443ZY7cpa+KnIdNJaTGXp4VRH33F2aa25nR6ZJ2GzrZ+HyR4VeXnvTipefhHXbdoZG9ghQ92AtczYfqtME=
X-Received: by 2002:a63:af47:0:b0:398:4be1:ce1d with SMTP id
s7-20020a63af47000000b003984be1ce1dmr4521429pgo.514.1648480123876; Mon, 28
Mar 2022 08:08:43 -0700 (PDT)
Authentication-Results-Original: relay.mimecast.com; auth=pass
smtp.auth=CUSA124A263 smtp.mailfrom=jshivers@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b90b5407-6147-4c1d-23d7-08da10ccde6f
X-MS-TrafficTypeDiagnostic: CY4PR01MB2613:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <CY4PR01MB261347F883AC93044A0B106BB11D9@CY4PR01MB2613.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: znJMii+AFiQDhHQJOT+aP8LcqzueK1Sqqzh36MVzy1lDre7U/OLOfD/Va9TH3fom9u3XuAfspnN9ukZ7YKcAGkXuF10XYUYlWtnc6zEQGxyXIK+r6fjZdRRO3Gcv3OOp3w1y287KRpEDJZygBCyeRiclaCvpIRePjwfJw1VF9N0U05heVbKlTHlj7984kmjjjzBVoPzLzGgilij9mVZT5fr8uBujAXe85gZpM3fLXiUZUo+ALAjtQxF9auAokDB/OFJpkYmOGDTIGAVsWtdO37zDx82SnI3emSWJyfZy+P0pEY53AQWyzFW/JQxyiVUCF/d0bn7OErVYcFnYe8s/UKbF0tWSzLUtPtYftGW61N86G6nL/W6DlqVoyN6DKPye0Nt+hy2CBXiK5raSgpev6Ujo8i4yWq6j/ivqrp/WDZmPaahg/kQFFKaEJVRuM88Dpm4+gOLoDp0tdJB3YX/RNgNQ1g5uBNCKZo52amOrC9rmqnC+94ALC3lffUS/j+LbW5ORuAiXN4Vgg4k3tLPZUMhvkl1Jo5wzt6aFwbhQ8ACYNoYN/GI7PiDISOsVGLGqGcwkzGhUQk1909FfRk1J9YwSg1wtSSOECoTZitsFPRV8BOUxmAT4mG4XHJUC6XeCptlIcWZ8mTtoB8AqmM/zAxFkijRqmFB8UQSyIjPVHJ8cSi8JGHgCQHtrq/T5VIxS
X-Forefront-Antispam-Report: CIP:170.10.129.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(13230001)(4636009)(336012)(83380400001)(26005)(7636003)(33964004)(42186006)(166002)(316002)(68406010)(7596003)(86362001)(55446002)(70586007)(2906002)(356005)(8676002)(6666004)(34206002)(9686003)(786003)(508600001)(5660300002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Mar 2022 15:08:51.5201 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b90b5407-6147-4c1d-23d7-08da10ccde6f
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT053.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR01MB2613
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CALe0_74tVEcMaEX3yRYpVWzzLmXmRUqDkKMt28hguDAoxWej4w@mail.gmail.com>
 by: Jacob Shivers - Mon, 28 Mar 2022 15:08 UTC

Hello All,

My setup:

* Parent realm (AD.TOB.COM) and child realm (TEST.AD.TOB.COM) with a
two-way
transitive trust in Active Directory.
* NFS client (f35.ad.tob.com) in AD.TOB.COM
* NFS server (8x1-nfs.ad.tob.com) in AD.TOB.COM exporting a Kerberized NFS
share
* User (data) in AD.TOB.COM
* User (lore) in TEST.AD.TOB.COM

I am trying to setup cross-realm Kerberos delegation via Resource Based
Constrained Delegation (RBCD) within Active Directory 2K16. In this test,
there
are two domains that have a parent/child relationship. User in both the
parent
and the child domain are logging into a NFS client within the parent realm
that
has mounted a Kerberized NFS share from a NFS server also within the parent
realm. No user logging in has a Kerberos ticket and there are no stored
keytabs
for users on the NFS client.

Configuring gssproxy with 'impersonate = yes', users within the parent realm
are able to access the Kerberized NFS share with no issue. However, users in
the child realm are unable to access the share and gssproxy logs 'Illegal
cross-realm ticket' as returned by krb5 libraries. I observe this behavior
in
RHEL 8.5 as well as Fedora 35 with Alexander Bokovoy's upstream copr build
for
krb5-libs that includes RBCD patches not yet in Fedora proper.

I have found some sample packet captures from wireshark.org for RBCD, but
even
after viewing the captures, I still am not sure what the exact behavior
should
be for cross-realm delegation. That being said, the NFS client logs
KRB5KRB_AP_ERR_ILL_CR_TKT before the point of delegation for the user in the
child domain to the local NFS server.

My limited understanding, and please excuse any misnaming, is that when the
user in the child domain on the NFS client attempts to access the Kerberized
NFS share with impersonation active the NFS client should:

* Authenticate and receive a ticket granting service principal for its
local
realm which is the parent realm (krbtgt/AD.TOB.COM@AD.TOB.COM).

* Obtain the remote ticket granting server principal pointing towards the
child domain (krbtgt/TEST.AD.TOB.COM@AD.TOB.COM).

* Obtain the remote ticket granting server principal pointing back towards
the
parent domain (krbtgt/AD.TOB.COM@TEST.AD.TOB.COM).

* Authenticate on behalf of the user in the child domain to the parent
domain
using the cross realm TGT ticket (krbtgt/AD.TOB.COM@TEST.AD.TOB.COM) for
the
proxy_impersonator (F35$@AD.TOB.COM).

* Use the proxy_impersonator key to obtain the endpoint credentials for the
NFS server's nfs service (nfs/8x1-nfs.ad.tob.com@AD.TOB.COM) for the
user in
the child domain

The client does _not_ reach the point of the actual RBCD bits of requesting
the
NFS ticket granting service ticket for the user based on comparing this
failing
traffic to that of a user in the same realm. `$ tshark` flags
kerberos.KDCOptions.constrained.delegation and
kerberos.PAC.OPTIONS.FLAGS.resource.based.constrained.delegation are set
once
this occurs.

The below is present in /etc/krb5.conf by way of
/var/lib/sss/pubconf/krb5.include.d/domain_realm_ad_tob_com:

[capaths]
TEST.AD.TOB.COM = {
AD.TOB.COM = AD.TOB.COM
} AD.TOB.COM = {
TEST.AD.TOB.COM = AD.TOB.COM
}

I have collected a network trace, a `# strace` of gssproxy, journalctl
output,
as well as a KRB5_TRACE of gssproxy with debug_level set to 3. This lab
contains no confidential data so I can capture and share any tracing.

I can also perform any additional tests should it be requested.

Thank you very much for any guidance that can be offered.

--

Jacob Shivers

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor