Sorry to trudge up a thread a couple of months old - but I believe that the behavior I'm seeing is directly related to this and instead of coming in grasping at straws, I decided it would be best to use this as context.
I have a heterogeneous environment with a windows KDC which both my user and computer accounts exist. When I authenticate to Unix_01 with my credentials, I receive my TGT and host TGS. From this host I 'ssh [-K] Unix_02' and am presented with a TGT with flags: FfRA. Unix_02 is then able to request additional tickets to NFS_01 (where user home directory is stored via NFS4/Krb). If I authenticate to Windows_01, I receive similar tickets, however my ssh (putty) connection does not forward tickets to Unix_02. This is true even if I explicitly enable the GSSAPI delegation in Putty. The only way to get this to function is to set the "Trust this computer for delegation to any service" on the Unix_02 computer object in AD and then to request a new ticket on Windows_01 for host/Unix_02 which will now contain that ok_as_delegate_flag. I was baffled by this until I found this thread in my archive and hashed over the applicable section in 4120. From what I am reading here it would appear that this behavior is expected as the Unix systems (MIT) will forward a ticket regardless of the ok_as_delegate flag. IOW, Windows systems require the host to show ok_as_delegate in order to forward a ticket, whereas Unix systems do not. Can I have a confirmation that I understand this correctly? If so, I would like to ask a couple of follow up questions, but I don't want to waste time if I am still unclear on the root issue. TIA On Tue, Feb 11, 2014 at 7:30 AM, Vipul Mehta <vipulmehta.1...@gmail.com>wrote: > @Christopher : I know about that option. I don't want to disable delegation > but i want to know the correct behaviour of MIT Kerberos with KDC Option i > specified. > > @Greg, now it's clear to me. > Checked the code also. So, if initiator has requested GSS_C_DELEG_FLAG, > then delegation will always be done and value of "ok-as-delegate" flag in > service ticket does not matter in that case. Value of "ok-as-delegate" flag > is important when initiator has not requested GSS_C_DELEG_FLAG but has > requested GSS_C_DELEG_POLICY_FLAG. > > On Tue, Feb 11, 2014 at 2:21 AM, Greg Hudson <ghud...@mit.edu> wrote: > > > I believe this option affects the ok-as-delegate ticket flag, which was > > added in RFC 4120. Microsoft's Kerberos implementation honors this > > flag, but Unix implementations do not, as doing so would effectively > > disable all ticket forwarding in most Unix environments. > > > > MIT krb5 and Heimdal did add the GSS_C_DELEG_POLICY_FLAG flag so that > > applications can choose to delegate tickets only if the ok-as-delegate > > flag is set on the service ticket. But it's not clear when a Unix > > application would want to use that instead of GSS_C_DELEG_FLAG. > > > > > > -- > Regards, > Vipul > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos