From unknown Tue May 05 13:11:44 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#739: Kerberos credential delegation on Windows Reply-To: Frank Lenaerts , 739@bugs.x2go.org Resent-From: Frank Lenaerts Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Mon, 19 Aug 2019 14:30:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 739 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: build-win32 References: Received: via spool by 739-submit@bugs.x2go.org id=B739.15662249307141 (code B ref 739); Mon, 19 Aug 2019 14:30:02 +0000 Received: (at 739) by bugs.x2go.org; 19 Aug 2019 14:28:50 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on071f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::71f]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id B50305DAC1 for <739@bugs.x2go.org>; Mon, 19 Aug 2019 16:28:48 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H03fktL4cAkwo1/6aNj7M/E9xnPdukoHaCp2GFruRbrs6X2nUkoWaghb4Cjs+p4h1hVNw49DDh2ttYRYXOC/vNcD6TdgWfKELZCFwx9353g4VbPRvN3bhqw7DeXiI58ojaO2/zFZm1lCCdYhq7uBf5IGDjEhVEQ+oEsuftacfDH01NeTTF5Zs6us2RRJERTn3ae3HBT00DyIBCKV3jAZPnYgM5sEQsECT4QZg8Fix116qJpLjpW4joRiLx7mzOoy7VlLYbfHvZll+o/9mLMjEU5fPsiRrYIfLbt9EXFwKB0XRaXMZ2AnL3S4CRNuYTawKeFjrVuMcopRoKrL8N2HTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7NvhH8nibQkWQ7AKmEWxQ9O3JZgzx7G15nUihQcPgts=; b=Kwhfwpofn3R+ItqTkh/0Xh7ywwuvQPOhC+y7h+N9YBAqwJdTthrt6BUr/bDXmXVwtY9sHDjob+WVKjIko8lTaAoDUZTJn2tu0GJQNlrf6if4dhbXm8lgmmWZaxdNqOeMLcFV1skOCazW/PHNzoYuAd9TAz/dG8roTwHxb5/7tc7ig5Qr6sG/UeG2IyjEBWqSmhl5oTLxx7/25JIjA/Uqc/i+2QA5IZt3yX7YJ5DIKolCLYm5VAKsM74VK9AUqzAoq2APk7ElbZVV1YSQXpDjrqeFl9ShDrEDHluwlgTkGhmzmvFT1zZgljQEmIGV+6pHfguOvCxyxTcHyBMyJlQGcg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.190.140.222) smtp.rcpttodomain=bugs.x2go.org smtp.mailfrom=sckcen.be; dmarc=bestguesspass action=none header.from=sckcen.be; dkim=none (message not signed); arc=none Received: from VE1EUR01FT055.eop-EUR01.prod.protection.outlook.com (10.152.2.55) by VE1EUR01HT083.eop-EUR01.prod.protection.outlook.com (10.152.3.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16; Mon, 19 Aug 2019 14:28:47 +0000 Authentication-Results: spf=pass (sender IP is 193.190.140.222) smtp.mailfrom=sckcen.be; bugs.x2go.org; dkim=none (message not signed) header.d=none;bugs.x2go.org; dmarc=bestguesspass action=none header.from=sckcen.be; Received-SPF: Pass (protection.outlook.com: domain of sckcen.be designates 193.190.140.222 as permitted sender) receiver=protection.outlook.com; client-ip=193.190.140.222; helo=mail.sckcen.be; Received: from mail.sckcen.be (193.190.140.222) by VE1EUR01FT055.mail.protection.outlook.com (10.152.3.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2178.16 via Frontend Transport; Mon, 19 Aug 2019 14:28:46 +0000 Received: from pc5424-v2.sck.be (10.0.6.24) by mailsrv4.sck.be (193.190.140.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Mon, 19 Aug 2019 16:28:45 +0200 Date: Mon, 19 Aug 2019 16:28:43 +0200 From: Frank Lenaerts To: <739@bugs.x2go.org> Message-ID: <20190819142843.g4tjhukdz7pku2pm@pc5424-v2.sck.be> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline X-Originating-IP: [10.0.6.24] X-ClientProxiedBy: mailsrv4.sck.be (193.190.140.222) To mailsrv4.sck.be (193.190.140.222) X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:193.190.140.222;IPV:NLI;CTRY:BE;EFV:NLI;SFV:NSPM;SFS:(10019020)(39850400004)(376002)(396003)(346002)(136003)(2980300002)(189003)(199004)(22746008)(70206006)(106002)(16586007)(50466002)(81166006)(46406003)(9686003)(386003)(81156014)(8936002)(23726003)(2906002)(53416004)(8676002)(7736002)(44832011)(486006)(126002)(3846002)(6116002)(26005)(1076003)(186003)(356004)(5660300002)(70586007)(36756003)(4744005)(47776003)(86362001)(316002)(97756001)(53936002)(2351001)(22756006)(55016002)(6916009)(7696005)(305945005)(478600001)(476003)(336012)(16526019);DIR:OUT;SFP:1102;SCL:1;SRVR:VE1EUR01HT083;H:mail.sckcen.be;FPR:;SPF:Pass;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1665dc19-82b3-4e0e-6bdb-08d724b18bd2 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(4709080)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020);SRVR:VE1EUR01HT083; X-MS-TrafficTypeDiagnostic: VE1EUR01HT083: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-Forefront-PRVS: 0134AD334F X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: jsh6ShOatebGaQSZXHmr4Db+qHhoGWJWFVYonfM//tFC42a5ZlDJ1CBFFXcmuXf+AiPzT+5/dsbGaREYaJdQyWLnaJJQj1b3zFs7kHsNNnZ/enQHrxNF0nAciuP6F98tIRxNFNkencgZPr5qW10uw3MnK4SykrVFar0Z9W8iqVMjSCujafqfvGW6dhwJwgU8qgTVypuqCC9FzbD/aebQsj4a0tXxW7XZwin8scKWNHknb+JuWajOCCIi5hVRz2i3DjaBokop6/rIXzCq0qbqHp8bjyMm7buP6I38qu5oS7xF90ZNtYeu1HNjD+h2xdMB0JXhsP0l89m7ySyYpO+88ZIMhOyrRPjiAEJoUdW6njwsA8YcDoQuwGuMHYkMnzRBbTUWfvVA2KveRdwCxYd5qjN61PxWeNMnpY538K/ltYI= X-OriginatorOrg: sckcen.be X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2019 14:28:46.8588 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1665dc19-82b3-4e0e-6bdb-08d724b18bd2 X-MS-Exchange-CrossTenant-Id: 2f885e27-9e8b-4e12-bf50-1768b073bc54 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2f885e27-9e8b-4e12-bf50-1768b073bc54;Ip=[193.190.140.222];Helo=[mail.sckcen.be] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT083 Hi I also encountered this issue and found out that Windows' GSSAPI library checks if the target server can be trusted before delegating tickets to it. If you trust the target system, tickets can be forwarded to it and things work as expected. Note that ssh(1) on Linux doesn't do this check i.o.w. using ssh(1)'s -K option just works. To configure this: "AD Users and Computers" > search the target host > properties > Delegation tab > Trust... -- Kind regards Frank Lenaerts