Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Science and religion are in full accord but science and faith are in complete discord.

devel / comp.protocols.kerberos / Re: cross-realm delegation via attempted RBCD fails with KRB5KRB_AP_ERR_ILL_CR_TKT

SubjectAuthor
o Re: cross-realm delegation via attempted RBCD fails withJacob Shivers

1
Re: cross-realm delegation via attempted RBCD fails with KRB5KRB_AP_ERR_ILL_CR_TKT

<mailman.41.1649433023.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=236&group=comp.protocols.kerberos#236

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jshiv...@redhat.com (Jacob Shivers)
Newsgroups: comp.protocols.kerberos
Subject: Re: cross-realm delegation via attempted RBCD fails with
KRB5KRB_AP_ERR_ILL_CR_TKT
Date: Fri, 8 Apr 2022 11:49:14 -0400
Organization: TNet Consulting
Lines: 109
Message-ID: <mailman.41.1649433023.8148.kerberos@mit.edu>
References: <CALe0_74tVEcMaEX3yRYpVWzzLmXmRUqDkKMt28hguDAoxWej4w@mail.gmail.com>
<CALe0_76CEEEuP1uz-31gP3iRrYC9JS-WnHNuyGdh90riNjE3QQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="4968"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ZA2yM1josTMqiYgf4dGVCCE4hh5qIFNDvsJ1K2BbeVYWVk/lEnDAHrQ8sa5o+CDvbvWkh8OLvCWsl07F1Z3FxCCOMKok9f8P9DLAVsLBNNs1V6AMVOWplNcrxg0bTYTmP6tUzX1lDXZMvHKOWf26TN9oPKf+i0goXQJ/3H4wk3ZQ6FRfQJLyF+46tmiH6vORZNW7X7G3D/CI7bj/PmVoDN/i605tdRBVvK3UEox3mK16Q7PPedwX2Oxupp9pHGLe+DCV4i9r2j7hLD4jyfrC1RMvJlJRm13XiIb8c1PhTmXZU90BE5HJtZBqg/dgta7yWhv0sGjEGHIsHcIVTztTGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ZXx4wXfUzDwY+Cb99upMZbP+lfY/M50XDrcgoidWnd0=;
b=BkY92j4lH2tvElN2mRIsxCkM9M8DFsh5iYvw0yeBEUhp6dwm5/t/DoxYsqlur+BKr+RyygCLYL/Ah508xpNrMKBCDEUJHzWryd4+ERj+l+MMLeoTDnry3QDLc4w+pF37yf7Jwhzg6IMqB9bV8/VITqFcc+S2gCO88EQbmHqeoOuxWnIERZQDsQ3WedyiDLnk5ZB6wXZb1AXvNi+I4/gl+hnbkB1eQblyvVNVzRh6eW/Dxo5EO6DDbFhrSCjwW1mje7JFef9EtPlHp4SEzyhnGdxZ2ddeQbKN1p2Az7NwkTD3S4IZfrb1btiDRqZ2DHTWHkqVlPZOZu/U6MwRkmcygg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.133.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com;
dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com;
dkim=pass (signature was verified) header.d=redhat.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=ZXx4wXfUzDwY+Cb99upMZbP+lfY/M50XDrcgoidWnd0=;
b=NQ/JrxofmJA7lDLMD1yAD/p9gNxJO9uDWBBe1UaO5srNWLPjSjSwd3FZV2zERwgArjxdosOwzLVYE6hGHhS2VSKZy3YklcywVWfG71H0QoQ7A2koQvxUJdb39rvDDVuhg5l7WxuAQ9ZBVTjAaDy9a/f6GErYztRqID8MbLS9n0Y=
Authentication-Results: spf=pass (sender IP is 170.10.133.124)
smtp.mailfrom=redhat.com; dkim=pass (signature was verified)
header.d=redhat.com;dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.133.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1649432993;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references;
bh=ZXx4wXfUzDwY+Cb99upMZbP+lfY/M50XDrcgoidWnd0=;
b=SAX+MZ3IJdoU0mHibhlkBw1C2wm7IqomZRc9UJO+kAOr8YX7tT7blJPscmrf9vQ9zmjId7
FwnsV1tcxj1O+JlzMgw/BUOnGHsarWIEQAlLXtPJ3vvbBAisKVGKfhv19ybNGvWSgcKIK7
ywSCMZdVypG0k9cApSXEcLm0iljmczA=
X-MC-Unique: vowQsCQwO3mr7JS8ePeYPg-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=ZXx4wXfUzDwY+Cb99upMZbP+lfY/M50XDrcgoidWnd0=;
b=JQBanaM0RkmFgqL1giy2yFUcYX6Op/yeFXA2QI5/qMcfO2kN2XaC7953h12Nbew0p+
sVA5amJ/QoywiewKXUNWj3Jwy+mw0S/2cgavYBfMNweAlFVnQkN+NBCL4DiA9efk/9A+
SEX4whDX9Efm5RJkY846f9EI5x8eN9kY7gdwdbGIf8UW5H3TrjCeUd7M4YzMHhBz4IEi
drNc59Q9QKdpofaMCHMS6KZ+fD6P/eZJ37x7zTnNUDaDF00Ekx5h3U2vQZdA3VNbNoTp
yVHVY5yZeq1K78z5WSX62BLwqq9zv7Pa7vIJlm83gv0rLTUHEmG3neI6FTmCXOxC+gnK
GQ2g==
X-Gm-Message-State: AOAM531ScuTz41mH+lOJFUgXD5QpIopfc8DRGZpI24OV4sL8YyIZFrXw
1viGaoYivnlhpMdYnrzsgM3QaODqX7apH4OeXpTGExxyhnjRN7wMePSBs6GcWEm3kkuvkyfWLKb
y957uwQECntYhxAnOjHHo7VoM
X-Received: by 2002:a63:7d6:0:b0:399:5aec:2a73 with SMTP id
205-20020a6307d6000000b003995aec2a73mr16265392pgh.245.1649432991004;
Fri, 08 Apr 2022 08:49:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyuEsLcdWDWPW1ciBeLOTpZ7xYBmS63PIkrD4VwIFpQg8XxiVUgvjiGtTiy/2uJakFlj3RARX4P5jmS5+2V3BU=
X-Received: by 2002:a63:7d6:0:b0:399:5aec:2a73 with SMTP id
205-20020a6307d6000000b003995aec2a73mr16265374pgh.245.1649432990621; Fri, 08
Apr 2022 08:49:50 -0700 (PDT)
In-Reply-To: <CALe0_74tVEcMaEX3yRYpVWzzLmXmRUqDkKMt28hguDAoxWej4w@mail.gmail.com>
Authentication-Results-Original: relay.mimecast.com; auth=pass
smtp.auth=CUSA124A263 smtp.mailfrom=jshivers@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 231f88a4-f070-44f3-1125-08da19776c5d
X-MS-TrafficTypeDiagnostic: DM4PR01MB7884:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM4PR01MB7884467B17C3731122B70A5EB1E99@DM4PR01MB7884.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 5ckjzQLx0a5upnzhNDRtWtq5PD5L+1ckwbM/fipOfuYZbRfjLy/qTiV9mRi33JztphZt5jKBA5J53ktiBcB0gC6wexXryXoOzw/YUMFmA+GYx+I5IvIXgeR4IteaVRHJa7hdfAyoiM9h38CYMnexvxcO9OrnzDwFssI3iNzqHeRYCf9a7JjE0PVh8o4TKY7Ol5CdrN034vK27WxbFPq0+7bQ8UjUGjZhN4mw0Fi9dAKjwaLMK2L59nSyH6Ai/eUSkUqxCeZUnBu2w/gNpouPNfRy+5Qr9toSqER8pya4s3MPOA8yCSaphplUE4mobKOdbJ/a7IYxr9vwrZEbRguTII0swF69R1kYP18OEeRN4NeKFPwdzHexsbTif35PQxiu6gcNG3nHI08d6jzKSinYqCvWRoEwIiji6UiuA7xxXmhTc+YiDx08HxNU8lUAPXjpfbqhfJ/nfRMUbQyfHpdWTzraOsRIkTmoM+9Eh/SkYeW9C62FeOUkDmSyPXmRSrssr61T4FA7PY9fTWDvPeIIL2c8J1+KrgDefq5zgRo9V+YVh7zMxrS51YfWIqz5kUVC9f/VgqaQeZpgFsZWv2Ululp4IuwtdTBSXkLwTJ5r/XibZXVaxGTNu3Mw8jRgcG748lrJgtWQb8U/d4I5avnK843cbqmW28IDSbo4lKL+GAY=
X-Forefront-Antispam-Report: CIP:170.10.133.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(13230001)(4636009)(336012)(2906002)(7596003)(8676002)(55446002)(68406010)(7636003)(34206002)(6666004)(86362001)(83380400001)(5660300002)(53546011)(9686003)(26005)(786003)(356005)(70586007)(508600001)(42186006)(316002)(49910200006);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2022 15:49:53.5562 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 231f88a4-f070-44f3-1125-08da19776c5d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT015.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR01MB7884
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CALe0_76CEEEuP1uz-31gP3iRrYC9JS-WnHNuyGdh90riNjE3QQ@mail.gmail.com>
X-Mailman-Original-References: <CALe0_74tVEcMaEX3yRYpVWzzLmXmRUqDkKMt28hguDAoxWej4w@mail.gmail.com>
 by: Jacob Shivers - Fri, 8 Apr 2022 15:49 UTC

Hello,

Reaching out again.

If something is poorly worded or requires further
clarification/explanation I am more than willing to try to elaborate.
I am a bit stuck on this issue and would greatly appreciate any
feedback of things to test or to look at further.

Thank you _very_ much.

On Mon, Mar 28, 2022 at 11:08 AM Jacob Shivers <jshivers@redhat.com> wrote:
>
> Hello All,
>
> My setup:
>
> * Parent realm (AD.TOB.COM) and child realm (TEST.AD.TOB.COM) with a two-way
> transitive trust in Active Directory.
> * NFS client (f35.ad.tob.com) in AD.TOB.COM
> * NFS server (8x1-nfs.ad.tob.com) in AD.TOB.COM exporting a Kerberized NFS
> share
> * User (data) in AD.TOB.COM
> * User (lore) in TEST.AD.TOB.COM
>
> I am trying to setup cross-realm Kerberos delegation via Resource Based
> Constrained Delegation (RBCD) within Active Directory 2K16. In this test, there
> are two domains that have a parent/child relationship. User in both the parent
> and the child domain are logging into a NFS client within the parent realm that
> has mounted a Kerberized NFS share from a NFS server also within the parent
> realm. No user logging in has a Kerberos ticket and there are no stored keytabs
> for users on the NFS client.
>
> Configuring gssproxy with 'impersonate = yes', users within the parent realm
> are able to access the Kerberized NFS share with no issue. However, users in
> the child realm are unable to access the share and gssproxy logs 'Illegal
> cross-realm ticket' as returned by krb5 libraries. I observe this behavior in
> RHEL 8.5 as well as Fedora 35 with Alexander Bokovoy's upstream copr build for
> krb5-libs that includes RBCD patches not yet in Fedora proper.
>
> I have found some sample packet captures from wireshark.org for RBCD, but even
> after viewing the captures, I still am not sure what the exact behavior should
> be for cross-realm delegation. That being said, the NFS client logs
> KRB5KRB_AP_ERR_ILL_CR_TKT before the point of delegation for the user in the
> child domain to the local NFS server.
>
>
> My limited understanding, and please excuse any misnaming, is that when the
> user in the child domain on the NFS client attempts to access the Kerberized
> NFS share with impersonation active the NFS client should:
>
> * Authenticate and receive a ticket granting service principal for its local
> realm which is the parent realm (krbtgt/AD.TOB.COM@AD.TOB.COM).
>
> * Obtain the remote ticket granting server principal pointing towards the
> child domain (krbtgt/TEST.AD.TOB.COM@AD.TOB.COM).
>
> * Obtain the remote ticket granting server principal pointing back towards the
> parent domain (krbtgt/AD.TOB.COM@TEST.AD.TOB.COM).
>
> * Authenticate on behalf of the user in the child domain to the parent domain
> using the cross realm TGT ticket (krbtgt/AD.TOB.COM@TEST.AD.TOB.COM) for the
> proxy_impersonator (F35$@AD.TOB.COM).
>
> * Use the proxy_impersonator key to obtain the endpoint credentials for the
> NFS server's nfs service (nfs/8x1-nfs.ad.tob.com@AD.TOB.COM) for the user in
> the child domain
>
> The client does _not_ reach the point of the actual RBCD bits of requesting the
> NFS ticket granting service ticket for the user based on comparing this failing
> traffic to that of a user in the same realm. `$ tshark` flags
> kerberos.KDCOptions.constrained.delegation and
> kerberos.PAC.OPTIONS.FLAGS.resource.based.constrained.delegation are set once
> this occurs.
>
>
> The below is present in /etc/krb5.conf by way of
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_ad_tob_com:
>
> [capaths]
> TEST.AD.TOB.COM = {
> AD.TOB.COM = AD.TOB.COM
> }
> AD.TOB.COM = {
> TEST.AD.TOB.COM = AD.TOB.COM
> }
>
>
> I have collected a network trace, a `# strace` of gssproxy, journalctl output,
> as well as a KRB5_TRACE of gssproxy with debug_level set to 3. This lab
> contains no confidential data so I can capture and share any tracing.
>
> I can also perform any additional tests should it be requested.
>
>
> Thank you very much for any guidance that can be offered.
>
>
>
> --
>
> Jacob Shivers

--

Jacob Shivers

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor