Questions at the end
About my environment
I have tried in two different environments: (i) Linux Ubuntu 16.04LTS server enrolled in Active Directory (Microsoft) Domain and (ii) Linux Ubuntu 16.04LTS server enrolled in a FreeIPA Realm.
Krb5 binary version:
$ strings libkrb5.so | grep BRAND
KRB5_BRAND: krb5-1.13.2-final 1.13.2 2015050
What I like to do
I'm trying to use ksu command to login on the current host (authdemo4.addemo.it) as another user: kservice. In detail I'm trying (i) to obtain a service ticket for user kservice for the host authdemo4.addemo.it, (ii) to save the ticket in a MIT cache file /media/public/krb_kservice and (iii) to provide this ticket to ksu command in order to login as kservice.
it should be possibile
The ksu MIT documentation states that using a service ticket from cache file is possible, let's quote:
Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal’s realm. If the ticket for the end-server is already in the cache, it’s decrypted and verified. If it’s not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified.
My experiments and results
When using the TGT Kerberos ticket.. it works like a charm:
$ kinit -c /media/public/krb_kservice kservice
Password for kservice@ADDEMO.IT:
$ ksu kservice -n kservice@ADDEMO.IT -c FILE:/media/public/krb_kservice
Authenticated kservice@ADDEMO.IT
Account kservice: authorization for kservice@ADDEMO.IT successful
Changing uid to kservice (50006)
groups: cannot find name for group ID 50024
kservice@authdemo4:/home/userlab$
This is the cache content, there is only the TGT:
$ klist -c /media/public/krb_kservice
Ticket cache: FILE:/media/public/krb_kservice
Default principal: kservice@ADDEMO.IT
Valid starting Expires Service principal
11/08/2017 11:44:07 11/08/2017 21:44:07 krbtgt/ADDEMO.IT@ADDEMO.IT
renew until 11/09/2017 11:44:03
When trying with the end-server Kerberos ticket (service ticket) it fails, ksu ignores the cached ticket and asks for the user password:
$ kinit -S HOST/authdemo4@ADDEMO.IT -c /media/public/krb_kservice kservice
Password for kservice@ADDEMO.IT:
$ ksu kservice -n kservice@ADDEMO.IT -c FILE:/media/public/krb_kservice
WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel.
Kerberos password for kservice@ADDEMO.IT: :
Please note that I have tried all these service principals: host/authdemo4.addemo.it@ADDEMO.IT, HOST/authdemo4.addemo.it@ADDEMO.IT, host/authdemo4@ADDEMO.IT, HOST/authdemo4@ADDEMO.IT
This is the cache content, there is only the service ticket:
$ klist -f -c /media/public/krb_kservice
Ticket cache: FILE:/media/public/krb_kservice
Default principal: kservice@ADDEMO.IT
Valid starting Expires Service principal
11/08/2017 13:51:05 11/08/2017 23:51:05 HOST/authdemo4@ADDEMO.IT
renew until 11/09/2017 13:51:02, Flags: FPRIA
It is proxiable-forwardable-renewable-initial-preauthenticated ticket.
In brief: my attempt with end-server service ticket doesn't work.
I checked with Wireshark the ksu Kerberos requests to the DC in order to find differences with my requested service ticket. Service name is the same "host/authdemo4", ksu adds the canonizable flag to the ticket and it asks the ticket to the TGS while kinit sends the request to the AS :-(
Update, using kvno command (fails)
I examined deeply with Wireshark the TGS request/response performed by ksu and I found out that the correct service is: host/authdemo4@ADDEMO.IT
I have tried with kvno to insert the service ticket into the cache:
Insert TGT:
$ kinit kservice -c ./prova.cc
Password for kservice@ADDEMO.IT:
Insert service ticket:
$ kvno host/authdemo4@ADDEMO.IT -c ./prova.cc
host/authdemo4@ADDEMO.IT: kvno = 17
Check cache content:
$ klist -c ./prova.cc
Ticket cache: FILE:./prova.cc
Default principal: kservice@ADDEMO.IT
Valid starting Expires Service principal
11/09/2017 15:18:53 11/10/2017 01:18:53 krbtgt/ADDEMO.IT@ADDEMO.IT
renew until 11/10/2017 15:18:48
11/09/2017 15:19:07 11/10/2017 01:18:53 host/authdemo4@ADDEMO.IT
renew until 11/10/2017 15:18:48
Invoke ksu:
$ ksu kservice -n kservice@ADDEMO.IT -c FILE:./prova.cc
Authenticated kservice@ADDEMO.IT
Account kservice: authorization for kservice@ADDEMO.IT successful
Changing uid to kservice (50006)
groups: cannot find name for group ID 50024
It seems to work BUT it always ignores the service ticket and performs again from scratch a TGS request for host/authdemo4. I have also checked (with Wireshark) differences between the responses of the ksu and kvno requests, ->I<- don't notice any difference (see attached image): I have also tried using ksu more than once without purging the cache and the TGS request is performed again, each time.
In brief: this attempt with end-server service ticket doesn't work (service ticket is always re-requested).
Questions
They overlap a bit :-)
- is there a way to populate a Kerberos cache file with a service ticket that is compatible with ksu?
- Are there alternatives to kvno command in order to perform service ticket requests to TGS?
- Am I doing something wrong? Any tip?
- Do you think this is a ksu bug? :-)
Regards