You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Steve Moyer (JIRA)" <ji...@apache.org> on 2015/11/06 21:59:10 UTC

[jira] [Commented] (DIRKRB-440) Enhance Kinit to request a service ticket

    [ https://issues.apache.org/jira/browse/DIRKRB-440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14994417#comment-14994417 ] 

Steve Moyer commented on DIRKRB-440:
------------------------------------

The changes made to KinitTool.java to implement the -S flag don't perform the correct operation.  When the MIT kinit program is run with the -S option, it requests a TGT with an associated server name as shown in this packet capture:

!https://issues.apache.org/jira/secure/attachment/12771110/kerby-mit-kinit-with-dash-s-option.png!

The changes made to the KinitTool.java program retrieves a service ticket in two steps, each making a request.  First, the client principal and password (or keytab, etc) is used to retrieve a TGT, with the default server name of krbtgt/<realm> as shown in this packet capture:

!https://issues.apache.org/jira/secure/attachment/12771109/kerby-kinittool-with-dash-s-option-tgt.png!

This TGT is then used to request a service ticket using the service name passed using the -S argument.  A TGT with an associated server name is not the same as a service ticket.  This packet capture shows the TGS request:

!https://issues.apache.org/jira/secure/attachment/12771108/kerby-kinittool-with-dash-s-option-tgs.png!

It should also be noted that the MIT kinit program also sends the FORWARDABLE, PROXIABLE AND RENEWABLE_OK flags set by default.

One final problem with the changes to the KinitTool is that it doesn't save or use the returned service ticket (the TGT itself is pushed into the cache to be returned by klist, etc).

I'll be adding a set of associated sub-issues to correct the KinitTool behavior.

> Enhance Kinit to request a service ticket
> -----------------------------------------
>
>                 Key: DIRKRB-440
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-440
>             Project: Directory Kerberos
>          Issue Type: New Feature
>            Reporter: Xu Yaning
>         Attachments: kerby-kinittool-with-dash-s-option-tgs.png, kerby-kinittool-with-dash-s-option-tgt.png, kerby-mit-kinit-with-dash-s-option.png
>
>
> In the USAGE of {{KinitTool.java}}, it supports parameter "-S service_name" to enable the user to request a service ticket. It just need to be implemented.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)