kerberos wrong TGS delegation

[Alex Gaysinsky]

Hello,

We use Microsoft DC as our KDC for UNIX machines.
We also connect UNIX application from UNIX/Windows
using GSSAPI/SSPI.

Each UNIX machine has account in Active Directory.
Suppose this has "Trusted for delegation" flag
UNSECTED.

*** Windows client cannot delegate its credentials
to UNIX machine (TGS "OK to delegate" flag is off
in windows credential cache) - this is OK.

*** But UNIX client succeeds to fetch TGS with
"OK to delegate" ON regardless on flag in
Active Directory - (it's NOT OK)

Could I fix it in some way ?
Thanks a lot,
Alex

 

[Dave Christiansen [MS]]

The "trusted for delegation" flag is only a hint to the client that the KDC
doesn't think that server is safe for delegation. Ultimately, it's up to
the client to determine for itself whether it actually wants to perform
delegation. The version of Kerberos on your unix clients doesn't know about
(or is ignoring) that hint.

Your unix clients' Kerberos implementation needs to handle the "OK as
delegate" ticket flag. This flag is defined in Kerberos Revisions (see MSKB
266080 for details). Check to see if there's a new version of kerberos from
your vendor that supports this flag-- or if there's a configuration option
to enable it.

--
Dave Christiansen, Windows Core Security Testing
This message is provided "AS IS" with no warranties, and confers no rights.
This message originates in the State of Washington (USA), where unsolicited
commercial email is legally actionable (see
http://www.wa.gov/ago/junkemail).
Harvesting of this address for purposes of bulk email (including "spam") is
prohibited unless by my expressed prior request. I retaliate viciously
against spammers and spam sites.