Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Disobedience: The silver lining to the cloud of servitude. -- Ambrose Bierce

devel / comp.protocols.kerberos / Re: cross-realm delegation via attempted RBCD fails with KRB5KRB_AP_ERR_ILL_CR_TKT

SubjectAuthor
o Re: cross-realm delegation via attempted RBCD fails withJacob Shivers

1
Re: cross-realm delegation via attempted RBCD fails with KRB5KRB_AP_ERR_ILL_CR_TKT

<mailman.92.1659621351.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=291&group=comp.protocols.kerberos#291

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jshiv...@redhat.com (Jacob Shivers)
Newsgroups: comp.protocols.kerberos
Subject: Re: cross-realm delegation via attempted RBCD fails with
KRB5KRB_AP_ERR_ILL_CR_TKT
Date: Thu, 4 Aug 2022 09:54:03 -0400
Organization: TNet Consulting
Lines: 136
Message-ID: <mailman.92.1659621351.8148.kerberos@mit.edu>
References: <CALe0_74tVEcMaEX3yRYpVWzzLmXmRUqDkKMt28hguDAoxWej4w@mail.gmail.com>
<CALe0_76CEEEuP1uz-31gP3iRrYC9JS-WnHNuyGdh90riNjE3QQ@mail.gmail.com>
<CALe0_77KLNRA+s0EbUHxEH5cTH3Wy5eRaBs2WWXefOBO7eS8iA@mail.gmail.com>
<CALe0_76x2gro-=fEGYqaVwpsDvV5u3yS3+iLTZzpHkXQ+UAwyw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="20396"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu, Brenda Muchinyi <bmuchiny@redhat.com>
To: krbdev@mit.edu
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1659621349; cv=pass;
b=dw/FNit5mVfqErqkzYpOMj7/3uPGfSK++LIf1hSEHQMTywfYWhQlxEr/FarpwuhgPvRQ8wC/p4tXq5rErtefufdFw2oYpat7dT+DsmI/xZF01/UNDBso6q76eM5hkPjIOjs1qU89VvrG8RSOiIGoN4fV1sEk9JHShe2YS9sRWcsmx6+ANtkZpwHtbQd45fJX5tikbKbDYZIK0NQned7FIh5egpaOqaRF3LnmpiQLp5/7PCiyOWMTz9YQzDfqugdw5qMot/gq2+nj+s/pC15goSRESsVI9AgiegLXwDj2JZTjH+kYV+wlmPBNXSd31X28D7uOMgFL+8xDSyUwfnRGDg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1659621349;
c=relaxed/relaxed; bh=W1fBYdyzDYT1Kly2711MXOxFRH9rkiiQszveet0aUWc=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=muDkCRbSucwvHWLNnSGzN/R/SDE8xYYUzvpDUCNdLDgS612S5JxlXtWlcQXZor0Pwr5BqFUA2u0yR724pvsFpiAjyFHYbR1nOWIhQMJaJU2VhD2a9eYJmVaBEavGyqjYp3JsvanjpMWE0YhR+8iLHe5Ik8c+ucWZmFkctRzpd7Rn6dubip45kC1SUSUlBM5e2lrWv1138R+HVWLp1mOjd+hGwNrVakVk6k5ZYlkMlerfmZ7y9j+L5I3DKs3N1nXVrB6bfclIBwXRsx+w64jQktmjjxPh19uvteKuJZWpSBm//46dPYDlfxPiy48kdinQei+TlkAnpmKgzW/jsxA0EQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=KDH3tlBj;
dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
header.b=JK3Q1GGN; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=KDH3tlBj;
dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
header.b=JK3Q1GGN
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=j+WL6Vuz7V+92AFTucu8Xz4nyz7XctWGMXMWhFcIoeA/1Vj4O8trO8n+Yni9Z7mXs35zN3wRVGfhiL6tB3s3tPv9aUtd0n4V/dj3uMkhSAnCNJGlukakyDXNsIhpnJpVnAabq5WT1I0GZC7jflsButWsTj56ORn+EjjdY/g2SaOgyg7Ny7aHYyHtgq319nNLSp6MefZUNTIM6rylLxSWZCjPrMwwAulz12ht0DEdlOIk4294erbCXFiZoK6RBRFnpLIBI3l9MqFlZT2k9XW3kG1JXCuuxRnNkWHPtVgLUI50Dx7G0S0jJkcuy8PJ726HureVlWUCXHnoy7s79I3X/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=W1fBYdyzDYT1Kly2711MXOxFRH9rkiiQszveet0aUWc=;
b=lpTQYhnq/7v6IFLTx+b4FdG7x8KLj4A9ZiVK7YOYiZ5feZ/U5wlLo6FGuDEM2onojyag08KUJdLRSkCI2eH/WDhuKJfa4/dFyfRdGa+rXCpp77oLGnmdnIO9HG/Oc0wwzuAT9pYXp37JAEG0qg3vvxA5IIkFZFLNspIREXQl4vq4kkqjIi1Ys+ku+Fu22iH/RCczVnPU0qu+uKngeex4FPgKTS546MgxnRYBkKrU5312KcdClPw/ee4y1wihQoPBWHPYKxsTwg9Ys30RYsAdEZqVfvFENUp8sESykMq+oIFiPq4kO9AB2SDYJ3EGzBrdAQfyktHfj8D70hVYz1K2zQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.133.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com;
dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com;
dkim=pass (signature was verified) header.d=redhat.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=W1fBYdyzDYT1Kly2711MXOxFRH9rkiiQszveet0aUWc=;
b=KDH3tlBjLqpEYJKPBQ2fd1ZCjtEsqhYOXRci+fIV7II2j7apITlhsF2j1VK7DRtBuXcuM5KXpVFERpr5JTcdt6rgWjvMHRh41vZoeLxMmMZeEOUdMR8bdPe26lg0ivlztrOz5QtlN8CrFd4BDgE4h6ryBDoIiYrtGR/7/QT/iHs=
Authentication-Results: spf=pass (sender IP is 170.10.133.124)
smtp.mailfrom=redhat.com; dkim=pass (signature was verified)
header.d=redhat.com;dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.133.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1659621283;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references;
bh=W1fBYdyzDYT1Kly2711MXOxFRH9rkiiQszveet0aUWc=;
b=JK3Q1GGNNTbywC4wDaNyHQQtjLJyhmgj2XgfloqZl5j008lvkeb9ZMaeG5DXuI5pfIHMAM
cje99IRObOm9+I1+83g0neIhmMMrW30kIov4t1Dvtiz/h8fTDaBxx1qNBrVLUT6jHeInDG
tn946eEJPWmIrCCjcdTz+Yg8HsoFVoE=
X-MC-Unique: uqb2t3l9PWGCjlmURynCdg-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=W1fBYdyzDYT1Kly2711MXOxFRH9rkiiQszveet0aUWc=;
b=tl36m41p/H92Er8oZfxfvaolWhLCAiLSsOM9m7SlWVd6TL9GMHbBPv6qRamul91AJ2
h9j6oLGklJCSAwRqOw/WJ1kI/vUumtxl/2BrLHvoNGWZQU9fn33t7cvU/K+dRAIsK9Yw
EkWqbsU8Y0t8qXZ6KbMVGJ6+nyYYuC5/Yi8ZIOMhGDR0QMFhu7jkZLbBMojI0omnFPCR
RzFlFlo8r1+bFAmT1ZjSUjhyMCuOtQjudpRi/FFDoLa0P3iBrfTMZdcNQ/OWiRlPnvoz
H97ZbOngX1JB0v2XQM7nE79dDB3ORjmb0JQMXqqCRp+fGm1OFc1CrUfBNhg4+eqk75fS
uxvg==
X-Gm-Message-State: ACgBeo2CxnjwR05R6sobrF7lp/kxQnbtaZK5JgleTi1wVpU3nErFEyFw
EVbUTlrQCgmqOlBhuUi68IKgSJqMFKWR7Q2T0Kc7Fx+d7Jj47tXc1VyWRJKYpq//EYlRu/C/ttJ
lqaSjMkoEPxQAQ+akEGEtZfax
X-Received: by 2002:a17:903:d4:b0:16d:bb31:f66 with SMTP id
x20-20020a17090300d400b0016dbb310f66mr2080165plc.60.1659621280807;
Thu, 04 Aug 2022 06:54:40 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4SpSYBWCckoiGa463+PoZsvtH2Cn7tya3LzbBFPpac4g5kA9ZZEk2dyQbcDSEV78/oYFcCH5FQo4X+maOrH5U=
X-Received: by 2002:a17:903:d4:b0:16d:bb31:f66 with SMTP id
x20-20020a17090300d400b0016dbb310f66mr2080141plc.60.1659621280493; Thu, 04
Aug 2022 06:54:40 -0700 (PDT)
In-Reply-To: <CALe0_77KLNRA+s0EbUHxEH5cTH3Wy5eRaBs2WWXefOBO7eS8iA@mail.gmail.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-Matching-Connectors: 133040948842545941;
(75fa74df-fef8-4d92-b9d2-08da23eb583d); ()
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7b48444b-73ea-49ce-4315-08da7620e2ce
X-MS-TrafficTypeDiagnostic: BYAPR01MB4902:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ShR6tj6P+n+u+HBZvW0C+ZWc/ppUNHzev0+C7fP90dbBRm3KHJ1CkdMHa479UgAXFCjFBHRJFgoGQCCzD+YkQCChRNAwE9zsugqmjEIWCS6MFpiF2d9We2rWeTwe1QVuodUl1l9ksxlmm9mSerttAZg19fZEqI5m9HT+NTirn6JlCpaFa4vOSyTQeK85RQimKEQ1/uW36ig4lsq0hPs6arcDJt3QONGboi2HQqnv++M6Jm1TsgJIK/UEIV1Kqgz/dDFHM2rIFC8KjGp7iF5+Ic36IE4IAD3qehNCx3AnTHdudA0EDlyKQImw6IC9k61onKTPsw6cUd2g2jIFwgycLA4Va8CR51i/8aA8PwDDhmpEnFnqbF3NQFG8SD8eleSq7EQrkNbsW8W/vH6ySAdLXNdWrm5RdRSJ4LRPalYbA3ktUdKvphstKsUEjLXH7Hs2xv5iTlKQLk0ImAMXYRyhUlwRJGdy3HLA/Tx0TMy8Acsm5zEJD75qq7kPItZXE+zuI1cHUdFL+T5tKaIXsNqi21tv9b7c32UliFFIcQ9fK84pa4sfTV41L91hAk7pxBtaj9Qv1uqF7hdTy2piFozWQVFiM/WgGPMxnguW7vFlV7lu9cK2EuD9JyCiEVyt6FGtG0Qp9Zp//HDWOJNR3wSMQieFlEDtHpEadMhLngDyUvmr6yX9TeBm8lagOX3CSx5+C/8PB5rYGxheX4PNeuWzbQwNZwJ/CHYF+2YFAOFsY1uC3DidXyeyzJQ3YbOBDUgOP6UC/xe/vYDA9+8/zLjvZQ==
X-Forefront-Antispam-Report: CIP:170.10.133.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(13230016)(4636009)(346002)(376002)(396003)(39860400002)(136003)(316002)(336012)(786003)(42186006)(6666004)(356005)(68406010)(70586007)(107886003)(34206002)(2906002)(83380400001)(5660300002)(4326008)(9686003)(8676002)(7596003)(7636003)(53546011)(498600001)(55446002)(26005)(86362001)(49910200006);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Aug 2022 13:54:44.0358 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b48444b-73ea-49ce-4315-08da7620e2ce
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT021.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB4902
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CALe0_76x2gro-=fEGYqaVwpsDvV5u3yS3+iLTZzpHkXQ+UAwyw@mail.gmail.com>
X-Mailman-Original-References: <CALe0_74tVEcMaEX3yRYpVWzzLmXmRUqDkKMt28hguDAoxWej4w@mail.gmail.com>
<CALe0_76CEEEuP1uz-31gP3iRrYC9JS-WnHNuyGdh90riNjE3QQ@mail.gmail.com>
<CALe0_77KLNRA+s0EbUHxEH5cTH3Wy5eRaBs2WWXefOBO7eS8iA@mail.gmail.com>
 by: Jacob Shivers - Thu, 4 Aug 2022 13:54 UTC

Hello,

Reaching out again. Requesting any further input.

As I have said, if something is poorly worded or requires further
clarification I will be happy to elaborate and reword as necessary.

Regards,

On Wed, Apr 27, 2022 at 4:19 PM Jacob Shivers <jshivers@redhat.com> wrote:
>
> Sending this to the dev list to hope to get some traction there.
>
> Any input on this will be greatly appreciated.
>
> ---------- Forwarded message ---------
> From: Jacob Shivers <jshivers@redhat.com>
> Date: Fri, Apr 8, 2022 at 11:49 AM
> Subject: Re: cross-realm delegation via attempted RBCD fails with
> KRB5KRB_AP_ERR_ILL_CR_TKT
> To: <kerberos@mit.edu>
>
>
> Hello,
>
> Reaching out again.
>
> If something is poorly worded or requires further
> clarification/explanation I am more than willing to try to elaborate.
> I am a bit stuck on this issue and would greatly appreciate any
> feedback of things to test or to look at further.
>
> Thank you _very_ much.
>
> On Mon, Mar 28, 2022 at 11:08 AM Jacob Shivers <jshivers@redhat.com> wrote:
> >
> > Hello All,
> >
> > My setup:
> >
> > * Parent realm (AD.TOB.COM) and child realm (TEST.AD.TOB.COM) with a two-way
> > transitive trust in Active Directory.
> > * NFS client (f35.ad.tob.com) in AD.TOB.COM
> > * NFS server (8x1-nfs.ad.tob.com) in AD.TOB.COM exporting a Kerberized NFS
> > share
> > * User (data) in AD.TOB.COM
> > * User (lore) in TEST.AD.TOB.COM
> >
> > I am trying to setup cross-realm Kerberos delegation via Resource Based
> > Constrained Delegation (RBCD) within Active Directory 2K16. In this test, there
> > are two domains that have a parent/child relationship. User in both the parent
> > and the child domain are logging into a NFS client within the parent realm that
> > has mounted a Kerberized NFS share from a NFS server also within the parent
> > realm. No user logging in has a Kerberos ticket and there are no stored keytabs
> > for users on the NFS client.
> >
> > Configuring gssproxy with 'impersonate = yes', users within the parent realm
> > are able to access the Kerberized NFS share with no issue. However, users in
> > the child realm are unable to access the share and gssproxy logs 'Illegal
> > cross-realm ticket' as returned by krb5 libraries. I observe this behavior in
> > RHEL 8.5 as well as Fedora 35 with Alexander Bokovoy's upstream copr build for
> > krb5-libs that includes RBCD patches not yet in Fedora proper.
> >
> > I have found some sample packet captures from wireshark.org for RBCD, but even
> > after viewing the captures, I still am not sure what the exact behavior should
> > be for cross-realm delegation. That being said, the NFS client logs
> > KRB5KRB_AP_ERR_ILL_CR_TKT before the point of delegation for the user in the
> > child domain to the local NFS server.
> >
> >
> > My limited understanding, and please excuse any misnaming, is that when the
> > user in the child domain on the NFS client attempts to access the Kerberized
> > NFS share with impersonation active the NFS client should:
> >
> > * Authenticate and receive a ticket granting service principal for its local
> > realm which is the parent realm (krbtgt/AD.TOB.COM@AD.TOB.COM).
> >
> > * Obtain the remote ticket granting server principal pointing towards the
> > child domain (krbtgt/TEST.AD.TOB.COM@AD.TOB.COM).
> >
> > * Obtain the remote ticket granting server principal pointing back towards the
> > parent domain (krbtgt/AD.TOB.COM@TEST.AD.TOB.COM).
> >
> > * Authenticate on behalf of the user in the child domain to the parent domain
> > using the cross realm TGT ticket (krbtgt/AD.TOB.COM@TEST.AD.TOB.COM) for the
> > proxy_impersonator (F35$@AD.TOB.COM).
> >
> > * Use the proxy_impersonator key to obtain the endpoint credentials for the
> > NFS server's nfs service (nfs/8x1-nfs.ad.tob.com@AD.TOB.COM) for the user in
> > the child domain
> >
> > The client does _not_ reach the point of the actual RBCD bits of requesting the
> > NFS ticket granting service ticket for the user based on comparing this failing
> > traffic to that of a user in the same realm. `$ tshark` flags
> > kerberos.KDCOptions.constrained.delegation and
> > kerberos.PAC.OPTIONS.FLAGS.resource.based.constrained.delegation are set once
> > this occurs.
> >
> >
> > The below is present in /etc/krb5.conf by way of
> > /var/lib/sss/pubconf/krb5.include.d/domain_realm_ad_tob_com:
> >
> > [capaths]
> > TEST.AD.TOB.COM = {
> > AD.TOB.COM = AD.TOB.COM
> > }
> > AD.TOB.COM = {
> > TEST.AD.TOB.COM = AD.TOB.COM
> > }
> >
> >
> > I have collected a network trace, a `# strace` of gssproxy, journalctl output,
> > as well as a KRB5_TRACE of gssproxy with debug_level set to 3. This lab
> > contains no confidential data so I can capture and share any tracing.
> >
> > I can also perform any additional tests should it be requested.
> >
> >
> > Thank you very much for any guidance that can be offered.
> >
> >
> >
> > --
> >
> > Jacob Shivers
>
>
>
> --
>
> Jacob Shivers

--

Jacob Shivers

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor