Skip to content

'ccache.get_tgs' called with 'strict=False' prevents using ccache with other TGS #43

New issue
New issue
Open
Open
'ccache.get_tgs' called with 'strict=False' prevents using ccache with other TGS#43
@CravateRouge

Description

@CravateRouge
CravateRouge
opened on Nov 30, 2024

I understand the strict=False mode which can be very convenient in get_tgs to use a tgs ticket even if the name is wrong but the ticket is actually valid for the target:

minikerberos/minikerberos/common/ccache.py

Line 642 in 45d701f

def get_tgs(self, spn:KerberosSPN, strict:bool=False):

However, it shoudn't be called in core functions without being able to provide a strict=True option such as in tgs_from_ccache called by get_TGS:

minikerberos/minikerberos/aioclient.py

Line 390 in 45d701f

tgs, keystruct, err = self.ccache.get_tgs(spn_user)

This leads to not being able to use a ccache with other TGS even if there is a valid TGT inside, here is an example to understand better:

$ klist MAIN.bloody.corp.ccache
Ticket cache: FILE:MAIN.bloody.corp.ccache
Default principal: jane@TREE2.LAB

Valid starting       Expires              Service principal
11/30/2024 07:46:56  11/30/2024 17:46:56  krbtgt/TREE2.LAB@TREE2.LAB
11/30/2024 07:46:56  11/30/2024 17:46:56  ldap/dctree1.tree2.lab@TREE2.LAB

$ python3 msldapclient.py -v 'ldap+kerberos-ccache://tree2.lab\jane:MAIN.bloody.corp.ccache@MAIN.bloody.corp/?serverip=192.168.100.3&dc=192.168.100.4&dcc=192.168.100.3&realmc=bloody.corp' 'login' 
2024-11-30 07:52:08,039 msldap       DEBUG    ==== UniCredential ====
domain: tree2.lab
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f19efddd910>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

DEBUG:msldap:==== UniCredential ====
domain: tree2.lab
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f19efddd910>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

2024-11-30 07:52:08,039 msldap       DEBUG    ==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: tree2.lab
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

DEBUG:msldap:==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: tree2.lab
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

2024-11-30 07:52:08,056 msldap       DEBUG    Connecting!
DEBUG:msldap:Connecting!
2024-11-30 07:52:08,062 msldap       DEBUG    Connection succsessful!
DEBUG:msldap:Connection succsessful!
2024-11-30 07:52:08,063 msldap       DEBUG    BIND in progress...
DEBUG:msldap:BIND in progress...
2024-11-30 07:52:08,064 asyauth.kerberos DEBUG    Flags: 48
2024-11-30 07:52:08,064 asyauth.kerberos DEBUG    SPN: ldap/main.bloody.corp@tree2.lab
2024-11-30 07:52:08,064 asyauth.kerberos DEBUG    CCACHE SPN record: krbtgt/TREE2.LAB@TREE2.LAB
2024-11-30 07:52:08,065 asyauth.kerberos DEBUG    CCACHE SPN record: ldap/dctree1.tree2.lab@TREE2.LAB
silver@debianos:/mnt/hgfs/bloodyAD-dev$  cd /mnt/hgfs/bloodyAD-dev ; /usr/bin/env /bin/python3 /home/silver/.vscode/extensions/ms-python.debugpy-2024.12.0-linux-x64/bundled/libs/debugpy/adapter/../../debugpy/launcher 34279 -- /home/silver/.local/lib/python3.11/site-packages/msldap/examples/msldapclient.py -v 'ldap+kerberos-ccache://bloody.corp\jane:MAIN.bloody.corp.ccache@MAIN.bloody.corp/?serverip=192.168.100.3&dc=192.168.100.4&dcc=192.168.100.3&realmc=bloody.corp' 'login' 
2024-11-30 07:54:36,182 msldap       DEBUG    ==== UniCredential ====
domain: bloody.corp
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f3bb24f99d0>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

DEBUG:msldap:==== UniCredential ====
domain: bloody.corp
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f3bb24f99d0>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

2024-11-30 07:54:36,183 msldap       DEBUG    ==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: bloody.corp
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

DEBUG:msldap:==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: bloody.corp
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

2024-11-30 07:54:36,197 msldap       DEBUG    Connecting!
DEBUG:msldap:Connecting!
2024-11-30 07:54:36,201 msldap       DEBUG    Connection succsessful!
DEBUG:msldap:Connection succsessful!
2024-11-30 07:54:36,201 msldap       DEBUG    BIND in progress...
DEBUG:msldap:BIND in progress...
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    Flags: 48
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    SPN: ldap/main.bloody.corp@bloody.corp
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    CCACHE SPN record: krbtgt/TREE2.LAB@TREE2.LAB
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    CCACHE SPN record: ldap/dctree1.tree2.lab@TREE2.LAB
2024-11-30 07:55:41,256 asyauth.kerberos DEBUG    Got TGS from CCACHE!
2024-11-30 07:55:41,256 asyauth.kerberos DEBUG    TGS: OrderedDict([('pvno', 5), ('msg-type', 11), ('padata', None), ('crealm', 'TREE2.LAB'), ('cname', OrderedDict([('name-type', 1), ('name-string', ['jane'])])), ('ticket', OrderedDict([('tkt-vno', 5), ('realm', 'TREE2.LAB'), ('sname', OrderedDict([('name-type', 2), ('name-string', ['ldap', 'dctree1.tree2.lab'])])), ('enc-part', OrderedDict([('etype', 18), ('kvno', 3), ('cipher', b'\xc5\x88\xfc\xc8\xc0\xf3%\x1a\xf0\x94\xe0\xa5\xd3\x88\'\x12\xedC\x15z2!\x8d&\xfd5\x90\xa5\x1cF \x14)bm\xe61\x014\x12\x97\xfbD`>\x1a\xe6\xe1Il\x85\xad\xdeT\xc6.\x12\xbfRK&\x9cJ5\xf0l\xca\xbe\xa1\x82\xec\xb4\x8dW\xa8\xe5q\xb3K\xec\xde \x0b\x9b\n-\xf5fP\xf7\xbb\x9d`\xaa|\xef5\x07L)t\xa4\xb4\x04\xe6.\xa2\xf3\'\xcd\xa7\xfb\x04`\x1fr\x17\xd5Au\x05!\xa9\x9f\x01\xc7\xa0\x97\x98r\xd0\xae\x13}\x03\x9fzq;]cHKN\x13\xbd$\xe3\xf2-O\xa2\xe2\x1eu\xee2cb\x9d\xb52\xddI\xaeO\xcc\xbf\xd4\x9a\'\n`\xd4\xc5\xa8v\xd2SO*\xf8\xca\xc9\xc1\x07c\xd5\x0c3\xa8\xf6\xba\xa6\x8c\x1e\xe7\xa8\x86\x0f\xc2iG\xbe3\r\xd0\x07]\xfc-\n*\xe8\x9fY\xe2\xef\xda\x82\x9e\x87\x8f?yz\xfco\xf3d\xcf\xcbI\x9c:\xb687f\xa5\rf\xc3\x00\xd2P\xa9\xef\x1aMuN\x82^\xae<\xc7\xd2\xfdM\xc9\x80\x00\xec\xb7\rP$\x1cf=\x06\xa6[Dol\xf2V\xcc\xf7\xf3\xbdq\xa7.\x963\xa5x+\\,\xfe\xe1`x4\xff\xd2\xdd?\xae\xbe\x05\x84\xf2\xac\x87\xd8\xcc\x1e\xa81\xaedt1\x10\x88\x81\x81\x9cp0\xec\x856\xfe\x90\xe7Y}\x96\xc7k)`~\x8a\x02VEmn\x03)\xd3\xe6H\xac\x0e*y\xacd\xd2\xa5%\xaa\xf9\x8f*\x1fh\x87\x8ff$\xf2\xcfI\xc7\xb4\xfb\xca\x93FN\xd3\x18\xc3\x07\xd3\xee\xe8B*\xb88\xf1\xbe\xff\xb0X\xa8\xd2s,\xa8n\xda\\\x8e\xc4\x08\xab\x8dn+j}@\xa8\xac\x13\x8au\xed\xa4X\xcaL\r\x0eC\xbb\xc5\xa8\x01\xbb\x8an\x87\xa8\x1c\xbd\rZAJ\xa9\xcf\xf6\xa0\xfb:\xaf\x94\xff\xda\xb5\x9f#\xa2\xfb\x14\xfc\x06\xae\xb5\xf9\x05u\xa6\xe29\xff\xf2y\xc2\xa8\xd8\xb2\xf0$V/y:+"\xc0\xe5m%\xe0}\x85\xc60d\xdaA6\x8e\n\xc2o\x8d\xf6QG\xd8\x9d\x18\x81\xbd\xb5\x0e\xff\xaf\xa2\'\xd9\xc7:\xab\xd9\x02,\xbf\xabE\x18 \x1e+\x05M\x1c\xfaI#\xa7\xc9T\x07K\x83[\xd4\x98\xab\xbdg\x88\x16\x01L\xa3\x88g<2\x83\x97\xf8=A\xd6\xf3\xc7{\xdc4\xf7\x04\xcdwa\x96\x1f\xba\xe7\x85\x95n\xf1!N\xaf9\xb5A\x1e\xc7\x87\xeb\xe1\x04=\x99k\x92A\xac\x8f \x14\xc1\xce\\g\xc3\xb8\x93Q\xfc\xad\xec\x19=D\x08\x16\xad\xac\xe3\x7f\xe3w"\xa6\x8d@H\x08\xbd_\xf5\xbd\xd3\x94\xd0\x0e\xbd\x85a\x15G\xe6V\xf2\xb0\t\x98\xef\xfb/c\xf8\x99\xb8\xb5\xee0\xc9RA!:\x19M\x00\x0bc\x0c{~\xe3\xa3B\x80y*MgD~\x15\xc9C\xef\xa3\xee\xd5x\x91\xb2\xf6\x8b*\xf4\x98\xc0\x93U/L)\xf1\x82\xc3;\xcb\xe0o\x8aLD"\x8aG\xb4\xe14W\xa1T\x8a\x8d\xf2\xc8\x8e\xb1\xd6X\xb3\xe2\x8d\x80?J^f\xc5\xea\xcd\x17;\x1a\x07\xd0UY"\x94\x00Jw >\xda3\x9bLu\xdd5d\xa4&y~\xdb\x94]\xbe\xfa&\xde\xc6&&\xef\xdfmQ\xe4B<\xb3?l\xdeG\xf4\xf0\xb7\x02\xc6\xf46$\x92\xdah\xda\xf2V\xae$8\x03\x13\x06\xb1\\/\xe3\xbf8\x12\x836\x81\xb0\x13`L\xfd"\xd6\xe9|\xce\x7fk\r\xb0\xd6\xc0;\xa3\nw]\x11-\xc3x\xfb\xe7#\x10\xa7/4\xda\x9a\x87B\xcf\xe5\xfa\xaa\xf5B\x1a\xcc\xf3D\x99\x89\x0c3s(r\xb5\x85n#9N5\x08\xb5\xf0\xc0\xaf\x8a&\xc6\xbd`\x0f\x99\xc9\xbd`\xf7\xac\xd6\x1c\xfe\xf2\x83g\xd6\xb8\xc1\xb0\x871\xa6Q\xf5\x1e\xb1\t\x0e\x8fa^\xab\xdeT?\xbe\xeet\x94\xc1\x0c\xfb+\xc0\xcd\xfbD\x88\xcb\xf0\x80I\x1b8\xdf\x8e\xae\x00\xc9\x1b\x107\xa1b\xae\x9e\xbaP\xd3\xba\xa4\xe4\xb5\rc)\xbd\xb3\xcf\x02|_\\xny\x89\xa6AG\x91\x95\x92')]))])), ('enc-part', OrderedDict([('etype', 1), ('kvno', None), ('cipher', b'')]))])
2024-11-30 07:55:41,257 asyauth.kerberos DEBUG    encpart: OrderedDict([('etype', 1), ('kvno', None), ('cipher', b'')])
2024-11-30 07:55:41,257 asyauth.kerberos DEBUG    session_key: Key(23, 4594ded5eea8f2fa7cd2163ce26ccd86)
2024-11-30 07:55:41,264 asyauth.kerberos DEBUG    APREQ constructed: b'n\x82\x04\xdb0\x82\x04\xd7\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x0e\xa2\x03\x03\x01\x00\xa3\x82\x04,a\x82\x04(0\x82\x04$\xa0\x03\x02\x01\x05\xa1\x0b\x1b\tTREE2.LAB\xa2$0"\xa0\x03\x02\x01\x02\xa1\x1b0\x19\x1b\x04ldap\x1b\x11dctree1.tree2.lab\xa3\x82\x03\xe80\x82\x03\xe4\xa0\x03\x02\x01\x12\xa1\x03\x02\x01\x03\xa2\x82\x03\xd6\x04\x82\x03\xd2\xc5\x88\xfc\xc8\xc0\xf3%\x1a\xf0\x94\xe0\xa5\xd3\x88\'\x12\xedC\x15z2!\x8d&\xfd5\x90\xa5\x1cF \x14)bm\xe61\x014\x12\x97\xfbD`>\x1a\xe6\xe1Il\x85\xad\xdeT\xc6.\x12\xbfRK&\x9cJ5\xf0l\xca\xbe\xa1\x82\xec\xb4\x8dW\xa8\xe5q\xb3K\xec\xde \x0b\x9b\n-\xf5fP\xf7\xbb\x9d`\xaa|\xef5\x07L)t\xa4\xb4\x04\xe6.\xa2\xf3\'\xcd\xa7\xfb\x04`\x1fr\x17\xd5Au\x05!\xa9\x9f\x01\xc7\xa0\x97\x98r\xd0\xae\x13}\x03\x9fzq;]cHKN\x13\xbd$\xe3\xf2-O\xa2\xe2\x1eu\xee2cb\x9d\xb52\xddI\xaeO\xcc\xbf\xd4\x9a\'\n`\xd4\xc5\xa8v\xd2SO*\xf8\xca\xc9\xc1\x07c\xd5\x0c3\xa8\xf6\xba\xa6\x8c\x1e\xe7\xa8\x86\x0f\xc2iG\xbe3\r\xd0\x07]\xfc-\n*\xe8\x9fY\xe2\xef\xda\x82\x9e\x87\x8f?yz\xfco\xf3d\xcf\xcbI\x9c:\xb687f\xa5\rf\xc3\x00\xd2P\xa9\xef\x1aMuN\x82^\xae<\xc7\xd2\xfdM\xc9\x80\x00\xec\xb7\rP$\x1cf=\x06\xa6[Dol\xf2V\xcc\xf7\xf3\xbdq\xa7.\x963\xa5x+\\,\xfe\xe1`x4\xff\xd2\xdd?\xae\xbe\x05\x84\xf2\xac\x87\xd8\xcc\x1e\xa81\xaedt1\x10\x88\x81\x81\x9cp0\xec\x856\xfe\x90\xe7Y}\x96\xc7k)`~\x8a\x02VEmn\x03)\xd3\xe6H\xac\x0e*y\xacd\xd2\xa5%\xaa\xf9\x8f*\x1fh\x87\x8ff$\xf2\xcfI\xc7\xb4\xfb\xca\x93FN\xd3\x18\xc3\x07\xd3\xee\xe8B*\xb88\xf1\xbe\xff\xb0X\xa8\xd2s,\xa8n\xda\\\x8e\xc4\x08\xab\x8dn+j}@\xa8\xac\x13\x8au\xed\xa4X\xcaL\r\x0eC\xbb\xc5\xa8\x01\xbb\x8an\x87\xa8\x1c\xbd\rZAJ\xa9\xcf\xf6\xa0\xfb:\xaf\x94\xff\xda\xb5\x9f#\xa2\xfb\x14\xfc\x06\xae\xb5\xf9\x05u\xa6\xe29\xff\xf2y\xc2\xa8\xd8\xb2\xf0$V/y:+"\xc0\xe5m%\xe0}\x85\xc60d\xdaA6\x8e\n\xc2o\x8d\xf6QG\xd8\x9d\x18\x81\xbd\xb5\x0e\xff\xaf\xa2\'\xd9\xc7:\xab\xd9\x02,\xbf\xabE\x18 \x1e+\x05M\x1c\xfaI#\xa7\xc9T\x07K\x83[\xd4\x98\xab\xbdg\x88\x16\x01L\xa3\x88g<2\x83\x97\xf8=A\xd6\xf3\xc7{\xdc4\xf7\x04\xcdwa\x96\x1f\xba\xe7\x85\x95n\xf1!N\xaf9\xb5A\x1e\xc7\x87\xeb\xe1\x04=\x99k\x92A\xac\x8f \x14\xc1\xce\\g\xc3\xb8\x93Q\xfc\xad\xec\x19=D\x08\x16\xad\xac\xe3\x7f\xe3w"\xa6\x8d@H\x08\xbd_\xf5\xbd\xd3\x94\xd0\x0e\xbd\x85a\x15G\xe6V\xf2\xb0\t\x98\xef\xfb/c\xf8\x99\xb8\xb5\xee0\xc9RA!:\x19M\x00\x0bc\x0c{~\xe3\xa3B\x80y*MgD~\x15\xc9C\xef\xa3\xee\xd5x\x91\xb2\xf6\x8b*\xf4\x98\xc0\x93U/L)\xf1\x82\xc3;\xcb\xe0o\x8aLD"\x8aG\xb4\xe14W\xa1T\x8a\x8d\xf2\xc8\x8e\xb1\xd6X\xb3\xe2\x8d\x80?J^f\xc5\xea\xcd\x17;\x1a\x07\xd0UY"\x94\x00Jw >\xda3\x9bLu\xdd5d\xa4&y~\xdb\x94]\xbe\xfa&\xde\xc6&&\xef\xdfmQ\xe4B<\xb3?l\xdeG\xf4\xf0\xb7\x02\xc6\xf46$\x92\xdah\xda\xf2V\xae$8\x03\x13\x06\xb1\\/\xe3\xbf8\x12\x836\x81\xb0\x13`L\xfd"\xd6\xe9|\xce\x7fk\r\xb0\xd6\xc0;\xa3\nw]\x11-\xc3x\xfb\xe7#\x10\xa7/4\xda\x9a\x87B\xcf\xe5\xfa\xaa\xf5B\x1a\xcc\xf3D\x99\x89\x0c3s(r\xb5\x85n#9N5\x08\xb5\xf0\xc0\xaf\x8a&\xc6\xbd`\x0f\x99\xc9\xbd`\xf7\xac\xd6\x1c\xfe\xf2\x83g\xd6\xb8\xc1\xb0\x871\xa6Q\xf5\x1e\xb1\t\x0e\x8fa^\xab\xdeT?\xbe\xeet\x94\xc1\x0c\xfb+\xc0\xcd\xfbD\x88\xcb\xf0\x80I\x1b8\xdf\x8e\xae\x00\xc9\x1b\x107\xa1b\xae\x9e\xbaP\xd3\xba\xa4\xe4\xb5\rc)\xbd\xb3\xcf\x02|_\\xny\x89\xa6AG\x91\x95\x92\xa4\x81\x950\x81\x92\xa0\x03\x02\x01\x17\xa2\x81\x8a\x04\x81\x87\x0bM5\x98x\x11\xf2\xf7b\x16]\xf9.\xe5:KSt\'\xaa\x7f\xd3\x9b\\\xcb\xae}8^\x90\x8ew\x12\xfb\r5\x01\x07\xdaFD\x97\x0e+\xa6@\xcd\xa8\xb1\xa1\xb9I\x03\x15\x82A\x982)\xe7_\x87#\xe56\xf9\xc0\x1d\xc7\xa9\xc0+\x94S\x0el\xf6\xe3\xc3\x82\x93d\x12\x8e\r\x06\x9e\xa9\xfe\x06\xb7\xb4h\x8f\x7f"\xf5\xdf\x1a\x9dz/n\xc0q|O\xf5\x85\x90\x92\xed\xbb\x91\xe1\xae\xb8f\xec\x15x\x8e\xf4D%^u\xc9\xe8\xe5\xc9\xfd\xb9\x17e'
Traceback (most recent call last):
  File "/home/silver/.local/lib/python3.11/site-packages/msldap/examples/msldapclient.py", line 90, in do_login
    raise err
msldap.commons.exceptions.LDAPBindException: LDAP Bind failed! Result code: "invalidCredentials" Reason: "b'8009030C: LdapErr: DSID-0C090585, comment: AcceptSecurityContext error, data 52e, v4f7c\x00'"

msldap is calling authenticate from asyauth.native which calls get_TGS which will call tgs_from_ccache which will not find any valid service ticket but will return the ldap/dctree1.tree2.lab@TREE2.LAB because it's always non-strict and will try to auth with it instead of using the TGT to retrieve a referral ticket and then the right service ticket.

I think it would be good to provide a strict argument in parents functions, or let the user provide a strict=True parameter in the connection URL.

What do you think? I can provide the PR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions