Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix TGS req realm from user realm to server realm #46

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

CravateRouge
Copy link
Contributor

When trying to perform authentication I had the following error:

  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/aioclient.py", line 801, in get_referral_ticket
    tgs, encpart, key = await self.get_TGS(crossrealm_spn)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/aioclient.py", line 447, in get_TGS
    raise KerberosError(rep, 'get_TGS failed!')
minikerberos.protocol.errors.KerberosError: get_TGS failed! Error Name: KDC_ERR_WRONG_REALM Detail: "Incorrect domain or principal" 

I was trying to perform crossrealm authentication from a user named TREE2.LAB\johnny to the service ldap/dc1.outsider.lab. There was an inter forest trust between TREE2.LAB to BLOODY.CORP and a forest trust from BLOODY.CORP to OUTSIDER.LAB.

TREE2.LAB\johnny was able to query a referral ticket krbtgt/[email protected] to dctree1.tree2.lab but then the error happened when trying to request a referral ticket for OUTSIDER.LAB to main.bloody.corp because it was requesting krbtgt/[email protected] instead of krbtgt/[email protected].
Indeed you can see in get_TGS that the TGS Req realm is set to the user domain (so TREE2.LAB in our case as we are using TREE2.LAB\johnny) instead of the server one BLOODY.CORP.

To remediate this I took the domain REALM from the server from the TGT retrieved before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant