Open dariusan opened 6 years ago
mbechler
commented
6 years ago I suppose you are talking about S4U2Proxy there, right? I think what that would need is the ability to pass your impersonated GSSCredential down to the authentication context.
dariusan
commented
6 years ago Yes, the existing jcifs-ng code works already with "unconstrained delegation", since it can access ticket granting tickets (tgt). Java 8 and above support also "constrained delegation" where no "tgt" are given to the service anymore. I have an ugly but working patch of Kerb5Context where I add the GSSCredential when creating a GSSContext and jcifs-ng can access file shares successfully with "constrained delegation", i.e. impersonated users.
arvindmaan
commented
3 years ago It would be nice to have this enhancement through library support for kerberos S4U2Self and S4U2Proxy.
arvindmaan
commented
3 years ago @dariusan i am trying to achieve S4U2Proxy, tried multiple approaches but no luck, ending up all kind of errors.
KrbException: KDC cannot accommodate requested option (13)
at java.security.jgss/sun.security.krb5.KrbTgsRep.
if feasible can you please share patch to fix constrained delegation issue ?
mbechler
commented
3 years ago Happy to incooperate the necessary changes, if someone can share the details on what information needs to be passed down and which GSSAPI calls are required.
There seem to be problems regarding "constrained" ticket delegation resulting in an error: "No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)" whereas everything works fine with "unconstrained" ticket delegation. Is there a fix?