[jira] [Commented] (DIRKRB-440) Enhance Kinit to request a service ticket

Fri, 06 Nov 2015 12:59:57 -0800 

    [ 
https://issues.apache.org/jira/browse/DIRKRB-440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14994417#comment-14994417
 ] 

Steve Moyer commented on DIRKRB-440:
------------------------------------

The changes made to KinitTool.java to implement the -S flag don't perform the 
correct operation.  When the MIT kinit program is run with the -S option, it 
requests a TGT with an associated server name as shown in this packet capture:

!https://issues.apache.org/jira/secure/attachment/12771110/kerby-mit-kinit-with-dash-s-option.png!

The changes made to the KinitTool.java program retrieves a service ticket in 
two steps, each making a request.  First, the client principal and password (or 
keytab, etc) is used to retrieve a TGT, with the default server name of 
krbtgt/<realm> as shown in this packet capture:

!https://issues.apache.org/jira/secure/attachment/12771109/kerby-kinittool-with-dash-s-option-tgt.png!

This TGT is then used to request a service ticket using the service name passed 
using the -S argument.  A TGT with an associated server name is not the same as 
a service ticket.  This packet capture shows the TGS request:

!https://issues.apache.org/jira/secure/attachment/12771108/kerby-kinittool-with-dash-s-option-tgs.png!

It should also be noted that the MIT kinit program also sends the FORWARDABLE, 
PROXIABLE AND RENEWABLE_OK flags set by default.

One final problem with the changes to the KinitTool is that it doesn't save or 
use the returned service ticket (the TGT itself is pushed into the cache to be 
returned by klist, etc).

I'll be adding a set of associated sub-issues to correct the KinitTool behavior.

> Enhance Kinit to request a service ticket
> -----------------------------------------
>
>                 Key: DIRKRB-440
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-440
>             Project: Directory Kerberos
>          Issue Type: New Feature
>            Reporter: Xu Yaning
>         Attachments: kerby-kinittool-with-dash-s-option-tgs.png, 
> kerby-kinittool-with-dash-s-option-tgt.png, 
> kerby-mit-kinit-with-dash-s-option.png
>
>
> In the USAGE of {{KinitTool.java}}, it supports parameter "-S service_name" 
> to enable the user to request a service ticket. It just need to be 
> implemented.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to