I figured it out, and it's working for me now. For anyone else who's having this issue, there are 2 separate things you have to set up to allow an intermediate service to impersonate a user:
* the ok_to_auth_as_delegate flag (in kadmin) * an access control list in ldap. I wasn't sure if editing ldap directly was the best thing to do, but I didn't know of any alternative, so I created an ldif file like this: dn: krbPrincipalName=HTTP/www.example....@example.com,cn=EXAMPLE.COM ,cn=krbContainer,dc=example,dc=com changetype: modify add: krbAllowedToDelegateTo krbAllowedToDelegateTo: HTTP/datastore.example.com You might be able to guess your appropriate ldap dn name based on that format, but I just found it by doing a search with ldapsearch for my top level entry, dc=example,dc=com. After adding the above ldif with ldapmodify, constrained delegation now works nicely and I can turn it on and off for that intermediate service via kadmin, using the ok_to_auth_as_delegate flag. Thanks again to everyone who replied to my other threads on this! References: http://kerberos.996246.n3.nabble.com/ACL-for-Constrained-Delegation-td39665.html -John On Wed, Feb 6, 2019 at 3:49 PM John Byrne <jhnb...@gmail.com> wrote: > Hi, > > I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and > I'm trying to perform constrained delegation. However, I'm getting this > error from the KDC when the intermediate service calls the step() function > on the security context: "KDC policy rejects request" > > Here's the KDC log: > > Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8 > etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE: > authtime 0, HTTP/www.example....@example.com for HTTP/ > datastore.example....@example.com, KDC policy rejects request > > I've set the "ok_to_auth_as_delegate" flag on the intermediate service > principal HTTP/www.example.com, using kadmin.local (output of getprinc > below). > > Is there something else I need to do to allow this? > > Thanks, > John > > PS. here's the output of kadmin.local getprinc command for the > intermediate service principal: > > kadmin.local: getprinc HTTP/www.example.com > Principal: HTTP/www.example....@example.com > Expiration date: [never] > Last password change: Wed Feb 06 14:58:41 EST 2019 > Password expiration date: [never] > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 0 days 00:00:00 > Last modified: Wed Feb 06 15:19:15 EST 2019 (root/ad...@example.com) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 2 > Key: vno 2, aes256-cts-hmac-sha1-96 > Key: vno 2, aes128-cts-hmac-sha1-96 > MKey: vno 1 > Attributes: OK_TO_AUTH_AS_DELEGATE > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos