X2Go Bug report logs - #739
Kerberos cred delegation fails on Windows

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Michael DePaulo <mikedep333@gmail.com>

Date: Sun, 11 Jan 2015 17:20:02 UTC

Severity: normal

Tags: build-win32

Found in version 4.0.3.1

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#739: Kerberos credential delegation on Windows
Reply-To: Frank Lenaerts <frank.lenaerts@sckcen.be>, 739@bugs.x2go.org
Resent-From: Frank Lenaerts <frank.lenaerts@sckcen.be>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 19 Aug 2019 14:30:02 +0000
Resent-Message-ID: <handler.739.B739.15662249307141@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 739
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: build-win32
References: <CAMKht8jhKMP-vTccJfDhA8Uu2P08_VRNdV3r5n2Gpr8R4zETVg@mail.gmail.com>
Received: via spool by 739-submit@bugs.x2go.org id=B739.15662249307141
          (code B ref 739); Mon, 19 Aug 2019 14:30:02 +0000
Received: (at 739) by bugs.x2go.org; 19 Aug 2019 14:28:50 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,SPF_HELO_PASS
	autolearn=ham autolearn_force=no version=3.4.2
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on071f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::71f])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id B50305DAC1
	for <739@bugs.x2go.org>; Mon, 19 Aug 2019 16:28:48 +0200 (CEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=H03fktL4cAkwo1/6aNj7M/E9xnPdukoHaCp2GFruRbrs6X2nUkoWaghb4Cjs+p4h1hVNw49DDh2ttYRYXOC/vNcD6TdgWfKELZCFwx9353g4VbPRvN3bhqw7DeXiI58ojaO2/zFZm1lCCdYhq7uBf5IGDjEhVEQ+oEsuftacfDH01NeTTF5Zs6us2RRJERTn3ae3HBT00DyIBCKV3jAZPnYgM5sEQsECT4QZg8Fix116qJpLjpW4joRiLx7mzOoy7VlLYbfHvZll+o/9mLMjEU5fPsiRrYIfLbt9EXFwKB0XRaXMZ2AnL3S4CRNuYTawKeFjrVuMcopRoKrL8N2HTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=7NvhH8nibQkWQ7AKmEWxQ9O3JZgzx7G15nUihQcPgts=;
 b=Kwhfwpofn3R+ItqTkh/0Xh7ywwuvQPOhC+y7h+N9YBAqwJdTthrt6BUr/bDXmXVwtY9sHDjob+WVKjIko8lTaAoDUZTJn2tu0GJQNlrf6if4dhbXm8lgmmWZaxdNqOeMLcFV1skOCazW/PHNzoYuAd9TAz/dG8roTwHxb5/7tc7ig5Qr6sG/UeG2IyjEBWqSmhl5oTLxx7/25JIjA/Uqc/i+2QA5IZt3yX7YJ5DIKolCLYm5VAKsM74VK9AUqzAoq2APk7ElbZVV1YSQXpDjrqeFl9ShDrEDHluwlgTkGhmzmvFT1zZgljQEmIGV+6pHfguOvCxyxTcHyBMyJlQGcg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 193.190.140.222) smtp.rcpttodomain=bugs.x2go.org smtp.mailfrom=sckcen.be;
 dmarc=bestguesspass action=none header.from=sckcen.be; dkim=none (message not
 signed); arc=none
Received: from VE1EUR01FT055.eop-EUR01.prod.protection.outlook.com
 (10.152.2.55) by VE1EUR01HT083.eop-EUR01.prod.protection.outlook.com
 (10.152.3.62) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16; Mon, 19 Aug
 2019 14:28:47 +0000
Authentication-Results: spf=pass (sender IP is 193.190.140.222)
 smtp.mailfrom=sckcen.be; bugs.x2go.org; dkim=none (message not signed)
 header.d=none;bugs.x2go.org; dmarc=bestguesspass action=none
 header.from=sckcen.be;
Received-SPF: Pass (protection.outlook.com: domain of sckcen.be designates
 193.190.140.222 as permitted sender) receiver=protection.outlook.com;
 client-ip=193.190.140.222; helo=mail.sckcen.be;
Received: from mail.sckcen.be (193.190.140.222) by
 VE1EUR01FT055.mail.protection.outlook.com (10.152.3.104) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.20.2178.16 via Frontend Transport; Mon, 19 Aug 2019 14:28:46 +0000
Received: from pc5424-v2.sck.be (10.0.6.24) by mailsrv4.sck.be
 (193.190.140.222) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Mon, 19
 Aug 2019 16:28:45 +0200
Date: Mon, 19 Aug 2019 16:28:43 +0200
From: Frank Lenaerts <frank.lenaerts@sckcen.be>
To: <739@bugs.x2go.org>
Message-ID: <20190819142843.g4tjhukdz7pku2pm@pc5424-v2.sck.be>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Originating-IP: [10.0.6.24]
X-ClientProxiedBy: mailsrv4.sck.be (193.190.140.222) To mailsrv4.sck.be
 (193.190.140.222)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report:
	CIP:193.190.140.222;IPV:NLI;CTRY:BE;EFV:NLI;SFV:NSPM;SFS:(10019020)(39850400004)(376002)(396003)(346002)(136003)(2980300002)(189003)(199004)(22746008)(70206006)(106002)(16586007)(50466002)(81166006)(46406003)(9686003)(386003)(81156014)(8936002)(23726003)(2906002)(53416004)(8676002)(7736002)(44832011)(486006)(126002)(3846002)(6116002)(26005)(1076003)(186003)(356004)(5660300002)(70586007)(36756003)(4744005)(47776003)(86362001)(316002)(97756001)(53936002)(2351001)(22756006)(55016002)(6916009)(7696005)(305945005)(478600001)(476003)(336012)(16526019);DIR:OUT;SFP:1102;SCL:1;SRVR:VE1EUR01HT083;H:mail.sckcen.be;FPR:;SPF:Pass;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1665dc19-82b3-4e0e-6bdb-08d724b18bd2
X-Microsoft-Antispam:
	BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(4709080)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020);SRVR:VE1EUR01HT083;
X-MS-TrafficTypeDiagnostic: VE1EUR01HT083:
X-Microsoft-Antispam-PRVS:
	<VE1EUR01HT0834ADBB51CD1228079DD3688A80@VE1EUR01HT083.eop-EUR01.prod.protection.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-Forefront-PRVS: 0134AD334F
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info:
	jsh6ShOatebGaQSZXHmr4Db+qHhoGWJWFVYonfM//tFC42a5ZlDJ1CBFFXcmuXf+AiPzT+5/dsbGaREYaJdQyWLnaJJQj1b3zFs7kHsNNnZ/enQHrxNF0nAciuP6F98tIRxNFNkencgZPr5qW10uw3MnK4SykrVFar0Z9W8iqVMjSCujafqfvGW6dhwJwgU8qgTVypuqCC9FzbD/aebQsj4a0tXxW7XZwin8scKWNHknb+JuWajOCCIi5hVRz2i3DjaBokop6/rIXzCq0qbqHp8bjyMm7buP6I38qu5oS7xF90ZNtYeu1HNjD+h2xdMB0JXhsP0l89m7ySyYpO+88ZIMhOyrRPjiAEJoUdW6njwsA8YcDoQuwGuMHYkMnzRBbTUWfvVA2KveRdwCxYd5qjN61PxWeNMnpY538K/ltYI=
X-OriginatorOrg: sckcen.be
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2019 14:28:46.8588
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1665dc19-82b3-4e0e-6bdb-08d724b18bd2
X-MS-Exchange-CrossTenant-Id: 2f885e27-9e8b-4e12-bf50-1768b073bc54
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2f885e27-9e8b-4e12-bf50-1768b073bc54;Ip=[193.190.140.222];Helo=[mail.sckcen.be]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT083

Hi

I also encountered this issue and found out that Windows' GSSAPI
library checks if the target server can be trusted before delegating
tickets to it. If you trust the target system, tickets can be
forwarded to it and things work as expected. Note that ssh(1) on Linux
doesn't do this check i.o.w. using ssh(1)'s -K option just works.

To configure this:

"AD Users and Computers" > search the target host > properties >
Delegation tab > Trust...

-- 
Kind regards

Frank Lenaerts

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Apr 25 10:20:22 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.