0

I am trying to get the krb5 service ticket for the cifs server using the below code. I am able to get the intial creds for the smb user. But when I try to get the cifs service ticket for the smb server, I am getting error PRINCIPAL_UNKNOWN error. In the packet trace, I noticed that TGS_REQ is sent with sname "krbtgt\cifs_server_name.domain_name" instead of cifs\cifs_server_name.domain_name. I am not sure what mistake I am making.. I constructed the service principal correctly( line 12-14) Not sure why TGS-REQ is send with sname krbtgt instead.

                    krb5_creds credentials;
                    krb5_creds* service_credentials;
                    krb5_principal user_principal = NULL;
                    krb5_principal service_principal = NULL;
                    krb5_ccache ccache;
                    krb5_get_init_creds_opt *options;
                    memset(&credentials, 0, sizeof(credentials));

                    char buf[100];
                    sprintf(buf, "%s@%s", smb2->user, smb2->domain);

                    ret = krb5_parse_name(context, buf, &user_principal);

                    sprintf(buf, "%s@%s", "cifs", smb2->target_name);
                    fprintf(stderr, "buff %s\n", buf);

                    ret = krb5_parse_name(context, buf, &service_principal);
                     if (ret != 0) {
                            fprintf(stderr, "krb5_parse_name %d\n", ret );
                            exit(-1);
                     }
                    ret = krb5_cc_default(context, &ccache);
                    if (ret != 0) {
                            fprintf(stderr, "krb5_parse_name %d\n", ret );
                            exit(-1);
                     }

                    ret = krb5_cc_initialize (context, ccache, user_principal);
                    if (ret != 0) {
                            fprintf(stderr, "krb5_cc_initialize %d\n", ret );
                            exit(-1);
                    }

                    ret = krb5_get_init_creds_opt_alloc(context, &options);
                    if (ret != 0) {
                            fprintf(stderr, "krb5_get_init_creds_opt_alloc %d\n", ret );
                            exit(-1);
                    }

                    ret = krb5_get_init_creds_opt_set_out_ccache(context, options, ccache);
                    if (ret != 0) {
                            fprintf(stderr, "krb5_get_init_creds_opt_set_out_ccache %d\n", ret );
                            exit(-1);
                    }

                    // Gets the realm name for the hostname
                    ret = krb5_get_init_creds_password(context, &credentials, user_principal,
                                                       smb2->password, NULL,
                                                       NULL, 0, NULL, options);
                    fprintf(stderr, "krb5_get_init_creds_password %d\n", ret);
                     if (ret != 0) {
                            fprintf(stderr, "krb5_get_init_creds_password %d\n", ret );
                            //exit(-1);
                     }

                    credentials.server = service_principal;
                    credentials.client = user_principal;
                    // krb5_tkt_creds_init(context, ccache, credentials, options, &)
                    ret = krb5_get_credentials(context, 0, ccache, &credentials, &service_credentials);
                     if (ret != 0) {
                            fprintf(stderr, "krb5_get_credentials %d\n", ret );
                            exit(-1);
                     }

                    fprintf(stderr, "----------------------------------------------------------krb5_get_credentials %d----------------------------------------------------------\n", ret);

Please help to resolve this issue.

Thanks

suresh
  • 4,084
  • 10
  • 44
  • 59

1 Answers1

1

I found the problem after trial and error method. service principle should be cifs/cifs_server_name.domain_name not cifs@cifs_server_name.domain_name. Only user principle should be user@domain_name. After editing the below line, krb5_get_credentials() was able to get service ticket/

sprintf(buf, "%s/%s", "cifs", smb2->target_name);
suresh
  • 4,084
  • 10
  • 44
  • 59
  • `cifs@server_name` would actually be correct if you were dealing with GSSAPI, as that's the syntax of GSS_C_NT_HOSTBASED_SERVICE names, which internally get converted to `cifs/server_name@REALM` for Kerberos. (And generally you _should_ just use GSSAPI and let it automatically acquire the service tickets it needs, instead of doing it by hand via krb5_get_credentials…) – user1686 Aug 03 '22 at 12:27