[krbdev.mit.edu #8332] gss_init_sec_context w/host@<hostname> fails with anonymous tickets

Russ Allbery via RT rt-comment at krbdev.mit.edu
Thu Dec 24 00:21:42 EST 2015 

Given a Kerberos KDC configured to issue anonymous service tickets, a
client with an anonymous TGT (obtained with kinit -n) fails in
gss_init_sec_context when trying to authenticate to a host in the default
local realm when gss_import_name is called with "host@<hostname>" as the
name.

If gss_import_name is called with "host/<hostname>" instead, this works
correctly.

KRB5_TRACE says:

[82592] 1450814219.510525: ccselect can't find appropriate cache for server principal host/dfw3b-rm1-1b.sjc.dropbox.com@
[82592] 1450814219.510698: Getting credentials WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ using ccache FILE:/tmp/krb5cc_1214
[82592] 1450814219.510824: Retrieving WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found
[82592] 1450814219.510914: Retrying WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com at WELLKNOWN:ANONYMOUS with result: -1765328243/Matching credential not found
[82592] 1450814219.510926: Server has referral realm; starting with host/dfw3b-rm1-1b.sjc.dropbox.com at WELLKNOWN:ANONYMOUS
[82592] 1450814219.511006: Retrieving WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS -> krbtgt/WELLKNOWN:ANONYMOUS at WELLKNOWN:ANONYMOUS from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found

so it looks like what's happening is that the service ticket lookup code
is getting very confused by the @WELLKNOWN:ANONYMOUS realm instead of
falling back on using the local realm to get service tickets.  I'm not
sure why this suddenly starts working with the host/<hostname> form of
name instead, although my guess is that the local default realm is
automatically appended to that Kerberos principal name and that somehow
unconfuses the service ticket fetch algorithm.

This behavior was seen using remctl 3.10 as the client and server, in case
there are any pecularities of how it calls GSS-API that are relevant.
(Both available from <http://www.eyrie.org/~eagle/software/remctl/>.)  The
user-visible error was:

$ kinit -n
$ remctl dfw3b-rm1-1b.sjc.dropbox.com bootstrap help
remctl: GSS-API error initializing context: Unspecified GSS failure.  Minor code may provide more information, Matching credential not found

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

More information about the krb5-bugs mailing list