P.s: I posted the same question to serverfault <https://serverfault.com/questions/882476/linux-ksu-kerberized-super-user-command-fails-to-use-cached-service-host-tic> but I get no response.
Questions at the end *About my environment* I have tried in two different environments: (i) Linux Ubuntu 16.04LTS server enrolled in Active Directory (Microsoft) Domain and (ii) Linux Ubuntu 16.04LTS server enrolled in a FreeIPA Realm. *What I like to do* I'm trying to use *ksu* <http://web.mit.edu/Kerberos/krb5-latest/doc/user/user_commands/ksu.html> command to login on the current host (*authdemo4.addemo.it <http://authdemo4.addemo.it>*) as another user: *kservice*. In detail I'm trying (i) to obtain a service ticket for user *kservice* for the host *authdemo4.addemo.it <http://authdemo4.addemo.it>*, (ii) to save the ticket in a MIT cache file */media/public/krb_kservice* and (iii) to provide this ticket to *ksu* command in order to login as *kservice*. *it should be possibile (?)* The *ksu* MIT documentation states that using a service ticket from cache file is possible, let's quote: Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal’s realm. If the ticket for the end-server is already in the cache, it’s decrypted and verified. If it’s not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified. *My experiments and results* When using the TGT Kerberos ticket for *kservice*.. it works like a charm: $ kinit -c /media/public/krb_kservice kservice Password for kserv...@addemo.it: $ ksu kservice -n kserv...@addemo.it -c FILE:/media/public/krb_kservice Authenticated kserv...@addemo.it Account kservice: authorization for kserv...@addemo.it successful Changing uid to kservice (50006) groups: cannot find name for group ID 50024 kservice@authdemo4:/home/userlab$ This is the cache content, there is only the TGT: $ klist -c /media/public/krb_kservice Ticket cache: FILE:/media/public/krb_kservice Default principal: kserv...@addemo.it Valid starting Expires Service principal 11/08/2017 11:44:07 11/08/2017 21:44:07 krbtgt/addemo...@addemo.it renew until 11/09/2017 11:44:03 When trying with the end-server Kerberos ticket (service ticket) it fails, *ksu* ignores the cached ticket and asks for the user password: $ kinit -S HOST/authdemo4.addemo...@addemo.it -c /media/public/krb_kservice kservice Password for kserv...@addemo.it: $ ksu kservice -n kserv...@addemo.it -c FILE:/media/public/krb_kservice WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for kserv...@addemo.it: : This is the cache content, there is only the service ticket: $ klist -f -c /media/public/krb_kservice Ticket cache: FILE:/media/public/krb_kservice Default principal: kserv...@addemo.it Valid starting Expires Service principal 11/08/2017 13:51:05 11/08/2017 23:51:05 HOST/authdemo4.addemo...@addemo.it renew until 11/09/2017 13:51:02, Flags: FPRIA It is proxiable-forwardable-renewable-initial-preauthenticated ticket. In brief: *my attempt with end-server service ticket doesn't work*. *I have tried* to change the kinit request, I have changed the service principal name-parts to uppercase/lowercase, with and without-domain, HOST->host, and so on but *it keeps failing*. I checked with Wireshark the *ksu* Kerberos requests to the DC in order to find differences with my requested service ticket. Service name is the same "*HOST/authdemo4.addemo.it <http://authdemo4.addemo.it>*", *ksu* adds the *canonizable* flag to the ticket and it asks the ticket to the TGS while *kinit* sends the request to the AS :-( *Questions* They overlap a bit :-) - is there a way to populate a Kerberos cache file with a service ticket (for the host) that is compatible with *ksu*? - I have read about *kvno* <http://web.mit.edu/tsitkova/www/build/krb_users/user_commands/kvno.html> command but I have failed to use it, the documentation does not suffice (for me) and there are no usage examples around, can you explain me how to use it? - Are there alternatives to *kvno* command in order to perform service ticket requests to TGS (and put it into a cache file)? - Am I doing something wrong? Any tip? Regards ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos