Delegation configuration help.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Delegation configuration help.

chinni
Hi Samba Team,

           I configured delegation in w2k3 server for the cifs service for custom domain account. From the front end server which is a linux centos box connects to the back end server which is w2k3 server with AD installed. So from the centos box when I get the service ticket for the User X on behalf of the delegated user Y (user y gets the ticket for userx ) and sending the same ticket to the server , the server replies with the KRB5KRB_AP_ERR_MODIFIED.

           I am using heimdal code for sending AP-REQ and TGS-REQ. The service ticket in the TGS-REP has the ticket in which client name is User X. But the ticket is encrypted using User Y password hash. So the application server cannot able to decrypt the ticket (this is why the AP_ERR_MODIFIED results). I need help in this, what configuration need to be made in the linux box  as well as in the w2k3 server so that I can get over from this error. Or else how can we make application server to take domain account password to decrypt the ticket rather than taking machine account password.

           The linux box is joined in to the domain and I can ping using FQDN successfully. Now in the TGS-REQ, there is a PA-S4U2self in which the user X and the checksum is encapsulated along with the PA-TGS-REQ. The flags for the TGS-REQ is forward-able, constrained delegation, canonicalize. Service ticket flags are forwardable and pre-auth. finally AD and the application server are on the same machine.

My sps's for the domain account user

           setspn -a cifs/<application server name>.<domainname>.com  <domain>\<domain account>
           setspn -a cifs/<application server name>  <domain>\<domain account>

Please help me how to over come this.


Thanks,
chinni




 
Reply | Threaded
Open this post in threaded view
|

Re: Delegation configuration help.

ssnkumar
Hi,

    I don't know if the delegation functionality of Samba really works.
    I had also faced similar problems and still it is not resolved.

    It will be of great help, if somebody for Samba team clarifies regarding
this:
    1. Does delegation functionality works as expected?
    2. Has anybody used this or atleast tested this before?
    3. Is there any limitation for using this?
    4. Do we need to do any hack to get this working?

    Hope somebody can answer these questions.

Warm Regards,
Narendra

Visit my blogs at:
http://ssnarendrakumar.blogspot.com/
   ___    ___    __    _
  /  __/  /  __/  /     | / /
_\   \   _ \   \   /   /| |/ /
\___/ \___/   /_/ |__/


On Tue, Mar 8, 2011 at 3:52 PM, chinni <[hidden email]> wrote:

> Hi Samba Team,
>
>           I configured delegation in w2k3 server for the cifs service for
> custom domain account. From the front end server which is a linux centos
> box
> connects to the back end server which is w2k3 server with AD installed. So
> from the centos box when I get the service ticket for the User X on behalf
> of the delegated user Y (user y gets the ticket for userx ) and sending the
> same ticket to the server , the server replies with the
> KRB5KRB_AP_ERR_MODIFIED.
>
>           I am using heimdal code for sending AP-REQ and TGS-REQ. The
> service ticket in the TGS-REP has the ticket in which client name is User
> X.
> But the ticket is encrypted using User Y password hash. So the application
> server cannot able to decrypt the ticket (this is why the AP_ERR_MODIFIED
> results). I need help in this, what configuration need to be made in the
> linux box  as well as in the w2k3 server so that I can get over from this
> error. Or else how can we make application server to take domain account
> password to decrypt the ticket rather than taking machine account password.
>
>           The linux box is joined in to the domain and I can ping using
> FQDN successfully. Now in the TGS-REQ, there is a PA-S4U2self in which the
> user X and the checksum is encapsulated along with the PA-TGS-REQ. The
> flags
> for the TGS-REQ is forward-able, constrained delegation, canonicalize.
> Service ticket flags are forwardable and pre-auth. finally AD and the
> application server are on the same machine.
>
> My sps's for the domain account user
>
>           setspn -a cifs/..com  \
>           setspn -a cifs/  \
>
> Please help me how to over come this.
>
>
> Thanks,
> chinni
>
>
>
>
>
>
>
> --
> View this message in context:
> http://samba.2283325.n4.nabble.com/Delegation-configuration-help-tp3341020p3341020.html
> Sent from the Samba - samba-technical mailing list archive at Nabble.com.
>