directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Moyer (JIRA)" <>
Subject [jira] [Commented] (DIRKRB-440) Enhance Kinit to request a service ticket
Date Fri, 06 Nov 2015 20:59:10 GMT


Steve Moyer commented on DIRKRB-440:

The changes made to to implement the -S flag don't perform the correct operation.
 When the MIT kinit program is run with the -S option, it requests a TGT with an associated
server name as shown in this packet capture:


The changes made to the program retrieves a service ticket in two steps, each
making a request.  First, the client principal and password (or keytab, etc) is used to retrieve
a TGT, with the default server name of krbtgt/<realm> as shown in this packet capture:


This TGT is then used to request a service ticket using the service name passed using the
-S argument.  A TGT with an associated server name is not the same as a service ticket.  This
packet capture shows the TGS request:


It should also be noted that the MIT kinit program also sends the FORWARDABLE, PROXIABLE AND
RENEWABLE_OK flags set by default.

One final problem with the changes to the KinitTool is that it doesn't save or use the returned
service ticket (the TGT itself is pushed into the cache to be returned by klist, etc).

I'll be adding a set of associated sub-issues to correct the KinitTool behavior.

> Enhance Kinit to request a service ticket
> -----------------------------------------
>                 Key: DIRKRB-440
>                 URL:
>             Project: Directory Kerberos
>          Issue Type: New Feature
>            Reporter: Xu Yaning
>         Attachments: kerby-kinittool-with-dash-s-option-tgs.png, kerby-kinittool-with-dash-s-option-tgt.png,
> In the USAGE of {{}}, it supports parameter "-S service_name" to enable
the user to request a service ticket. It just need to be implemented.

This message was sent by Atlassian JIRA

View raw message