Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

The debate rages on: Is PL/I Bachtrian or Dromedary?

devel / comp.protocols.kerberos / Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

SubjectAuthor
o Kerberos protocol transition with unconstrained delegation (i.e. TGTJonathan Calmels

1
Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

<mailman.114.1666881264.8148.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=315&group=comp.protocols.kerberos#315

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jcalmels@nvidia.com (Jonathan Calmels)
Newsgroups: comp.protocols.kerberos
Subject: Kerberos protocol transition with unconstrained delegation (i.e. TGT
impersonation)
Date: Thu, 27 Oct 2022 06:34:28 +0000
Organization: TNet Consulting
Lines: 54
Message-ID: <mailman.114.1666881264.8148.kerberos@mit.edu>
References: <BYAPR12MB2888DAD8E37405BF96B1065CBB339@BYAPR12MB2888.namprd12.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="5551"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: "kerberos@mit.edu" <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1666852477; cv=pass;
b=FtyralpY0o8KSdk+sbrZX4eB8l76INYl9RXoi6WctO+ThB0nlHiV2U9oO5+LuUgTWLlBytSgzNyOuFPwLEK3qkwKY6sxJjOJXCEutkn/OOMbteWStZOxquvLEJVGBvFr0q0oAoDo6WZMCX/UogQRHCT1fGbAqkpyV6ZtygKVWUzIhExAEjeH/3mTwgdK0GBf4MulH0/AudvFFGFKXPTE2VfLHgmjC2onDeL+tzgP+JMKo1VbRigw2Lr99LCDN6MF3oCE9ITx8SdCEcoBqIr08jVhPY1ExMSHNm0a9LkiUebqeHcEcwEbgOH0M6/T/jO7DLbnADEv8XA1NCH4+eDNSg==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1666852477;
c=relaxed/relaxed; bh=N6DQT1Fkug9uCKOOCiNITuloJ6eHnI4kB1URurR+Bmw=;
h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-ID:
MIME-Version;
b=u5cCi34WgDQVj2Db/rnrzc28/cnMcWkPuHLqcZun6D3VLPKQaPc+OogjOcXQ+F1c4fex2CI6TtuU9kVUCij7fIxrvCrlzfOtGj8rpd5+pGFGhQKTslKIpGuRku2ZOY0TSJ18G/RQgnkxmqdlFUH8xs80w8ySiyHiSCHpu7DWju8s7HZ75+qLIbvGh8QK6b+k8hlm8ZH1Hght6yMWf7NH1kSsrPUas/86P3IqoKaRTsMYAWe3msH33zPx2U76b0vAQOZPP290e1yRij+JTve9GBBUxfY7Q5raPBkCu0nl2dSKTQs8+aBYZTc7IszlOJRe1+lCGMLFMgPME/o9keLOuw==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=Gkd/wHoU;
dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
header.b=P6pjxdJw
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=Gkd/wHoU;
dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
header.b=P6pjxdJw
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=RJ0+htMWsWH6cmOvAiegileOLEiGgNp0Z8JHiKBWoe7NceDC7ol/85aOWXhv0KB7Ms4dUPdOmpq6ZCvgfYJDPq3eRu2iWHpew9ro6CnjiCsvDJZUFT0riEYvnI/Wi4z+OQUVrCY5ON9uCa5S8DB4+DGqbkp4bcsqiK16dQmmN3vkjbHY8G4VjUuqPb9RrpA6IcrNJM519ITmCIYxMyhGWSWKzR8Bo8MVSg5sbYSN/ahczXmNezmye5D9y3jM35dkDgz1W6u9k7vbW2tBxpO3EV5Rw5EaCzffB2zXXo27pYo/LS4+A3TxlvHwCf69+kuQ4AreFaKsUcQ7f0IP/WdbAg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=N6DQT1Fkug9uCKOOCiNITuloJ6eHnI4kB1URurR+Bmw=;
b=HrmDzBRTSh6tlBgnAQXZVFEACEX9oEd4P4NVcdkRMMbEN8bErJ7M1mmghbL236hzhRg67iNEnL4Has56yjKZd8DWye9yRIQ38ZhPAZns+Tp90eanWPPKPRHGje7b3bBt9618658VtSf/38x+PgJN5C/ae3yoooqTh7U+ZWrrydK5g3gYTmC2QASDaAgg8C5gu7RT6dGx/chNZ+cxrAt9uT5a60+9imzlBrZAAAFYpt+d8gx2D9dmk+QbKaVvRgWzj8tOtEYc4RZDwdAROHjWOX9gb3/hhJagwV7d4P0i7WrIPelC0B39iohtXxVr9QjIPT/N4UEC3aroKQuwZkbGEA==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
40.107.244.41) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=N6DQT1Fkug9uCKOOCiNITuloJ6eHnI4kB1URurR+Bmw=;
b=Gkd/wHoUuT0RjItnoL8b6ASXhseYp0+KCC1se2ugrYx+IabSFfnsiR70B1bium02L1G1AZhVCWybKkFtO8nPS2vcZNtNIybxD2H2owDaDDEgC1Zw9LZ4nJgVRY1tC4IU+ed85P9OTxvS4jQw5LgTpe6KOfQXBLNulQ5LL3Z6fEY=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=ZmvnRxEQ5SvYX0Rmrai25HpZ/W3daL1K4hxXWMKx5YQqwQEI1MQsG4fKx6ohwaFldZPHk73nBaPzO4FIq80R1c7mU6ZXTdCi7Ev25xr3xQzmmWJxGt9yT+C+73Rt7b5ihvBTbLZ/EoOe0DaBginx4MGWVNC+x/Fvk2OZWt0yy6wskwB5Z64CLnJECKmlBXOY5zHbL3ikLoijaub3LIwzQtEOl6kmc27hDHxdiwFaw2ayPKlJTVvISpEnzCzcWcRtosyFmgh9E3zKxp1RHbZXf57dtDI5mf++qlSAdO9oUg5B65mYBBoCzsV2oP3Wl4/rMVDuQPZdRAPk3cNSPY47oQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=N6DQT1Fkug9uCKOOCiNITuloJ6eHnI4kB1URurR+Bmw=;
b=OQP6q7fyqrTQ41yXpqkpq8ecBM5ZIwH56qfNd/YqGcF8vPixTl+0Xd4hH+o7pJa8Hva4YBIiQJ2gmWQmOfKeX9W2Jbp7QXURHPH9XVo+unQ6I+nsby86u2iablMXx41D9vVnbN3rO/Y7plUkhoYM74AVlsJM/IavLQrh6X+OQvyYPkkPr4EyNRKA/R4ZplMt0lcg9Ypn5anwW9k8wjK2obKhucLWwdgf8BagvLqyV3TbIFfI3UQDztr4yoBgXtmqduPDdM+KlaiTJV7+GxUHt5aoKT9ehugWvQmHguZCGlnRFROCcJGs3Cn9nkWgN+iDYbPxBu8EGja1QqLXOPnACw==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
40.107.244.41) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
Authentication-Results: spf=pass (sender IP is 40.107.244.41)
smtp.mailfrom=nvidia.com; dkim=pass (signature was verified)
header.d=Nvidia.com;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
40.107.244.41 as permitted sender) receiver=protection.outlook.com;
client-ip=40.107.244.41; helo=NAM12-MW2-obe.outbound.protection.outlook.com;
pr=C
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Fq+EdfIimyuoDj0yHh7VE+ZclECclY5OtKdChw6FJzInCRDlASPj+fbYmz6Uj3kpYmRzSb4u2unnLp2n/9UQs/lAVmWBPdZvozDWiCiYkaJ8kcYlIEZtWQrK/IMNRYM7Fkd/J6VGa1Ells42ry72Zium+YY+IV0g8OrNcmeYJ9UAY6q+rpoRynHbFRwZrEr5z9IAnW9+eGZocpGG71ozxRlnuYv+vw+tIpIUwTzu2/yX0d4Nd8iUS5o7J4X7r/5h/k7jbbmw64qgpR8bK3HSsLl4iXAsbHah4FceLgQ4FQlQ2o9YI/QV1BFa2DouOijP4lWo00C+ZEADGNP1rRp3qg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=N6DQT1Fkug9uCKOOCiNITuloJ6eHnI4kB1URurR+Bmw=;
b=Cg9DwdZLv8e5ko2hJQPbMd0hpYW/zXu58DdU3G+GG4Hn03PWarihQN5qZ/urnaYiFBftd5BZlD9wgM1fBdmk8ZXwmfzaS7BbleyOgv2aAZqtIJyaqhI8HGD1ESck3Yc39GHIKVoEpU4geThw/eVV0V0LvRLiyOaOqA8ykUqI9NpjRSWEacyVXp4AEfyzo599IDBRbpZh99vZXo0DVLxvEBp2O7ivG9FI9l114+rNP4Scy2gWI/KC+cMhZ7EcPfc3pG3j4ivQHvKsdYAFneTe7ZiUWlZ9I6ut2gq743nlQ4cHY+2iJeTg9km9msxA3xdQamb70BWpzl7wYZW2n4M5Wg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=N6DQT1Fkug9uCKOOCiNITuloJ6eHnI4kB1URurR+Bmw=;
b=P6pjxdJwifmY2wtMVdfiQ2yRjQO9JR9Z/JDu1bxtvIeRa1YrycD/x5FAxxjJ8TxowPLY2+5Dx7JNGC/XDWIi9CIw+oYJiqedpGsCxy8fmd83ApPwgiy+tWnQfb+MeP6Qso2ERJHl38dH+PMGCNlMRvAzDcwGqx8+YAPGVcwqkEl+z7976TfutsupEIpH6bIqW4+DZRznVTCu3bJKfoNYcQWiWfJ8BK1WwA2pgaLKbYYqviHnf9Awbp204QBIEVVRUqXtKpXv/0oGDyjCXVzCR4UPx4ZjI1o/axhWSwNBVCM4P4xJYL+PpOPiM20eiVEyWlYvXn7kNY98LO9g/zL3tw==
Thread-Topic: Kerberos protocol transition with unconstrained delegation (i.e.
TGT impersonation)
Thread-Index: AQHY6cwZbgffnBAsgUKOO4fc2I2bTg==
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=nvidia.com;
x-ms-traffictypediagnostic: BYAPR12MB2888:EE_|PH7PR12MB5712:EE_|CO1NAM11FT047:EE_|PH0PR01MB6486:EE_
X-MS-Office365-Filtering-Correlation-Id: 8245f922-49b1-4c4c-f7b8-08dab7e54df3
x-ms-exchange-senderadcheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: QcagPh4TsEWtey7z8PIfZvR/K8Z3vazaizDOLCwl2sNP0ON7NXgDPlplA7xD+CPS7p6/Kd0eb4d8ofJfJ+2gecxsIVxGaDjTFGUzHNLiejn7KMR119O3OLWUi6BauvoxGtqUBELZC1fArdjq5pm9IvZSqXwb+kpOG/2LIeNQihxiI+3HboR+2YuIHb0QZKsX9eKotT0iKKtctbXxdJEYCgyJJM3+K6B32e6NTyWf+oJRfG/lbF8O/iHW20xh6L0RFqAPW65yk/s3OKXv6AmilvF4bc8lC5r8W9J6N2ieqvqXmaKWBrGtuNgX3OauSsP+MfU4KR+3AyQs+UiKZalTAdEjUHV6F2cPZw5w/nSWZgWZE/iAHbx4mdz+yPvHkHwe5ZffHTWR34EYPHn4+ZInSDYobM81i/NiwJferrNJSKW7xVD64R9lGObYf0OsfA9ZT39S5z/40bMliEKJCHN+By9RRRsgI9l45lqEYgcM6qg5YDfEQXMPst9Q2msQ4AJNX6Ogq4tL17QFgsJ3VzgxwjfVJoaEA+jf+lN4fYTT9CvEB1i8Q/wr7Giq2gqxsJxyypRdAf4+4yr1lkjx95hHPeQb6YMOldKWc9G0s8+eCQ180el5MLSAm7ZfmXnebgvDlCDvuYo7efvWoY5l1FWKvnVVtKYYZaUyldTVujh7iDw0vv9p/W7Xc0QXrcAD7hk4bcB1GwMvRruRAWCFaem7E09OMR75lJlnBbgRBVzLCMF1GTt4CoB4Yf45XVOMpUqemw3HZEErn9kN5mGJmw2b3g==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR12MB2888.namprd12.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230022)(4636009)(396003)(136003)(366004)(376002)(39860400002)(346002)(451199015)(6506007)(7696005)(26005)(9686003)(71200400001)(478600001)(55016003)(122000001)(38100700002)(186003)(38070700005)(33656002)(66899015)(6916009)(52536014)(83380400001)(316002)(66556008)(66946007)(76116006)(66446008)(66476007)(64756008)(86362001)(8676002)(41300700001)(5660300002)(19627405001)(8936002)(2906002);
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: dTfVCbgnbKXMJnbr2gwj40CreNDBi81nrb8eK90DCGkTMyip8ymtDPK2jE
p42ptKgAzKYWzMhk1VjI7p8DFEJxja6CybP1Ye3WN+Kb0Bx+1rJNndW5Rq
9JCOLyn5upCm3VJMAGmkx7egHiiBf9nTIeZ/QrN1NCREEbQJB17oizMI/u
ACnGf6hlPqk0KkD7NaWVoVQhw7HAQI5bOaWn0IqM7hdAD6nuepoXJ5j/pm
iL/maZ709YNA26SVeIfUYe6Khnr0D57FC6CWSPJycuDwbeXJj7zh+Q0BRX
cdw4Xb6tWgrrwFm1GSn6S1wWzXyhyeUWGbB5veOT+j5D6izy0ZTBhlKxjj
jCzw0AnJxiNVf3pplkAj+dUs0fkkn1Q/QhyZIbkj/ZLTIvGUucBwI50rmC
xXXMzxRwwMAZmUoM7hrLZLjJdoVNkBjIYovnMkeoaeF2eCCcqcTOj5gL+2
6xOz6zhcScAL5FZFXEBXh3ngyrSSTOH82hE+FiAMIQoawFMNBFo1mxiAg2
HMEh7HpK9ragcS792dXmIJ52U3IHR0+4elM+2A5J3dY4RRFzA74e2nKoae
5fkXdg8y5OeuEq/Mlztw9mBcAFYtXoUtvkcFF2DGsQ/epSEJIZQl5A8l7K
0hdae9yn2ZLcWA2Pql/GSMOe6kxZ7B1UMGx7Spg37OHfaXADCd1Ktotiw8
foNyyAmQIpHKs63FEW1r/MewacGj9xYlSYtVZKUs/uevgMDMAVJHNdPVAQ
rIlcur0solMwZE6n74bzgwQ5WTDpkQrXuGX5oKSuuDrRj7Z+KZRj7g7sK7
mA/0JmJhG/qOKzFTmieDnexOYhcM7NR5EwCK8UqO7jUOhtOgLf7SnsDHpF
K8U6CwYvXu1GN0mTGotSkva7+KOCqhyaWLykw/rIPGPDoIJhIpn4cWVEgQ
AmYQm00E1dOEmkdZnoNy+OYWhTuhbKOj+4q9UQjcS1yduOT92kfbHkwfQM
LXoH3hF8e08M+zBr2HGmWMN7BcpnxBJwZrDngiOIEV3qwoQaUb02HfMOb7
WB8nMyQ+dShLpp+gQGhQBZNxiLWEFNZoS6WNBOHHwA/w5/JAZ1I/GjmUym
MO4/rcI4T0j8pCcn18w3q2F6ad/Z/shPGUVbNIu7yCVqQc6wKECt26XdDx
5kq6GBrLionMZAsjqxWjX861G/xLoFzgwxXr+zbfZDWYWztI/pzmiiYySW
wlePNgIXsh8qMswTa3XXLWO8pfg7TCPtv38juoFjKGfvHxl40O6PA/7UgA
RRCsphcGXsCDqJ4uIzpzxhv7ipJdcWWVub+ee+DYEE3X3c1i57PvXuLMiM
ZWXsuN54AQLuePPxfMmnCx/VsZFse+ShaabYd0mMe1kRnN4VIzT9pjsPqq
z2n/WTcwEWg8Bw/Vn6riB3/qwtIMGuKpnty7qqpeyS/QbOC86+PFPDZRrx
Bm4U4FwGN4Gjzot8nDVErAc8tbRqYCijR/naKrxQ1kZXuw3rYzCEloukYt
26WtOLynQdqks3eFFwGU2VjNnMKZ6K+QR+zJA5kFZIdzQrlpZMXg9mpWih
gW3dxZpAuDrCkTc88ATh27N0rn2Fwb5sIw
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB5712
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: CO1NAM11FT047.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: CO1NAM11FT047.eop-nam11.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: d0d02d05-1604-48c2-3c15-08dab7e54cb6
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xqz4fB1t0zq//pofS/fGBciuEGqzT4EeEGjy+IRAdU3tTUVmZiXx4aAXAacldoCCULG5MRz92jun8pgUz3LcSo5NwxoN47QhplliG1u9B5hlxxgyCExVplDAmEnnLvIF1C01KB7ZuoMrNoLxF4zqYiIF9kq6XiLoC6YFT5zyoaT2tRsaMxdZ9aKuOnZSb+QmpZlQeuUYApY9JDoPL9T99Bk+4cNm9zRhI5oG8mpLN8nym70nlkaUFbAbRmomtStSSq37Io6CcotHb40Pms1yJO9xlWOH8ieBdMrxb20IgWSM1qHC0Hp03TJTeHV3dgBBNJIyUHpje9PRbHxC3U6GAtv1cnylP7aaXtOB2Z/b0JXgByCy7LSWse7MIDkeg7IBoTNtIXt6f50JDDO2lhZRxS/6RY7drNFI3H/auhP5Dj64t9Z1NmmA4A0Hr8omHnPUQXKDAEg0Rxj8rsia2F2Jcw23wcdhTU2+CUDIdq7+biaVL8qJBlyPGUu/OGQkmfVXm3RYstlXdBc3z7aOY5J1FKk4jSZoXC0iCucFGJ6KBnsVKUvn9eQXBvMA4uomww+ZlVctgahiLEg96N1uktoYrG66O/4fRH6GsyLB08oamAZ9DvRH6VRQpe4uhpaw7RHx2tKobxZfRsXoFNb9mZCov6MqTzPYwbSTNlkEKdoSVlI=
X-Forefront-Antispam-Report: CIP:40.107.244.41; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:NAM12-MW2-obe.outbound.protection.outlook.com;
PTR:mail-mw2nam12on2041.outbound.protection.outlook.com; CAT:NONE;
SFS:(13230022)(4636009)(346002)(136003)(376002)(39860400002)(396003)(451199015)(26005)(7696005)(6506007)(83300400002)(9686003)(83320400002)(83290400002)(83310400002)(52536014)(83280400002)(6862004)(336012)(2906002)(55016003)(70586007)(68406010)(316002)(498600001)(786003)(8676002)(5660300002)(83380400001)(86362001)(66899015)(33656002)(356005)(7636003)(19627405001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Oct 2022 06:34:30.8324 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8245f922-49b1-4c4c-f7b8-08dab7e54df3
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT047.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6486
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Thu, 27 Oct 2022 10:34:23 -0400
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <BYAPR12MB2888DAD8E37405BF96B1065CBB339@BYAPR12MB2888.namprd12.prod.outlook.com>
 by: Jonathan Calmels - Thu, 27 Oct 2022 06:34 UTC

Hi,

We have a Linux cluster fully kerberized including its own MIT Kerberos KDC which we control.
Users authenticate to it through a one-way trust with an Active Directory. After being authenticated, users submit their workload with their TGT and the scheduler will forward it to the nodes it allocated (i.e. unconstrained delegation).
So far everything is working as expected.

Now the problem is that we need to support the same workflow from a CI/CD webservice.
Users authenticate to the CI/CD webservice through SAML and will trigger some kind of job to be scheduled. The scheduler knows the user's principal but doesn't have a TGT associated with it.

Basically, the scheduler needs a way to impersonate users' TGTs to start their workload.
How does one go about that? given that:

- We can't use SPNEGO on the CI/CD webservice or request anything from the user there. It has to be regular SAML and we don't control user interactions.
- We can't use constrained delegation (aka. S4U) because the scheduler needs the user's TGT not a service ticket. Users are free to use their TGT however they want from the allocated nodes.

So far, the only hack we can think of is replicating the AD users into the MIT KDC and writing some kind of GSS service that would issue TGTs for those (given the proper service ticket).
Something like:

1. The scheduler does protocol transition with the AD UPN it got from the CI/CD
2. The scheduler contacts this GSS service with the resulting service ticket
3. The GSS service converts the UPN from the AD realm to its MIT realm counterpart
4. If everything checks out, it sends back a TGT for the user (this might involve some unconventional calls to libkadm5)
5. The scheduler forwards this TGT as usual

Is there a cleaner alternative? Ideally, one that doesn't involve replicating users.

If not, is libgssapi and likadm5 the best way to implement it or would something like a plugin module be better suited?

Thanks for any insight

devel / comp.protocols.kerberos / Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor