MIT-Heimdal interop issues

Kevin Coffman kwc at citi.umich.edu
Fri Jul 23 14:06:29 EDT 2004


I'm seeing a similar problem as reported below testing a heimdal client 
with nfsv4.  I'm always getting a des-cbc-md4 session key which our 
kernel code doesn't like.  Should these settings in /etc/krb5.conf (on 
the client machine only) limit the enctypes requested in the TGS 
request?  (This is using gssapi, heimdal client, MIT server, MIT 1.3.4 
KDC)

 default_etypes = des-cbc-crc
 default_etypes_des = des-cbc-crc
 default_tkt_enctypes = des-cbc-crc 
 default_tgs_enctypes = des-cbc-crc

The nfs server's keytab has only a des key.  The AS request has only 
one enctype (des-cbc-crc), but the TGS request has six enctypes and the 
session key always winds up being des-cbc-md4.

[kwc at rock gssapi]$ /usr/heimdal/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_20010_Y8C6kf
        Principal: kwc at CITI.UMICH.EDU
    Cache version: 4

Server: krbtgt/CITI.UMICH.EDU at CITI.UMICH.EDU
Ticket etype: des3-cbc-sha1, kvno 56
Session key: des
Auth time:  Jul 23 12:27:56 2004
End time:   Jul 27 16:27:56 2004
Renew till: Jul 30 12:27:56 2004
Ticket flags: renewable, initial
Addresses: IPv4:141.211.133.90

Server: nfs/screamer.citi.umich.edu at CITI.UMICH.EDU
Ticket etype: des-cbc-crc, kvno 4
Session key: des-cbc-md4
Auth time:  Jul 23 12:27:56 2004
Start time: Jul 23 12:28:09 2004
End time:   Jul 27 16:27:56 2004
Ticket flags: transited-policy-checked
Addresses: IPv4:141.211.133.90

[kwc at rock gssapi]$

Jul 23 13:11:19 AS_REQ (1 etypes {1}) 141.211.133.90: ISSUE: authtime 
1090602679, etypes {rep=1 tkt=16 ses=1}, kwc at CITI.UMICH.EDU for 
krbtgt/CITI.UMICH.EDU at CITI.UMICH.EDU
Jul 23 13:11:25 TGS_REQ (6 etypes {16 5 23 3 2 1}) 141.211.133.90: 
ISSUE: authtime 1090602679, etypes {rep=1 tkt=1 ses=2}, 
kwc at CITI.UMICH.EDU for nfs/screamer.citi.umich.edu at CITI.UMICH.EDU

Any suggestions?



> The klist (Heimdal) on the client shows:
> 
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: digant at KERB.UTA.EDU
>     Cache version: 4
>  
> Server: krbtgt/KERB.UTA.EDU at KERB.UTA.EDU
> Ticket etype: des-cbc-crc, kvno 1
> Session key: des-cbc-md4
> Auth time:  Mar 23 17:42:20 2004
> End time:   Mar 24 00:20:45 2004
> Ticket flags: initial
> Addresses: IPv4:129.107.56.202
>  
> Server: ldap/omicron.kerb.uta.edu at KERB.UTA.EDU
> Ticket etype: des-cbc-crc, kvno 3
> Session key: des-cbc-md4
> Auth time:  Mar 23 17:42:20 2004
> Start time: Mar 23 17:42:36 2004
> End time:   Mar 24 00:20:45 2004
> Ticket flags: transited-policy-checked
> Addresses: IPv4:129.107.56.202
> 
> 
> 
> 
> And the krb5kdc.log on the server (MIT Kerberos) shows:
> 
> Mar 23 17:42:36 labrador.uta.edu krb5kdc[11571](info): TGS_REQ (6 etypes {16
> 5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080085340, etypes {rep=2 tkt=1
> ses=2}, digant at KERB.UTA.EDU for ldap/omicron.kerb.uta.edu at KERB.UTA.EDU
> 
> 
> 
> -----Original Message-----
> From: Sam Hartman
> To: Digant Kasundra
> Cc: ''kerberos at mit.edu' '
> Sent: 3/23/2004 5:22 PM
> Subject: Re: MIT-Heimdal interop issues
> 
> >>>>> "Digant" == Digant Kasundra <digant at uta.edu> writes:
> 
>     Digant> Well, for some reason, I'm not getting good results.
>     Digant> getting a ticket with kinit on the heimdal side works
>     Digant> great if I specify a password.  But when using a keytab,
>     Digant> it will only work if I tell it manually what encryption
>     Digant> type to use, even though ktutil identifies the enc type
>     Digant> correctly when listing the keys in that keytab.
> 
> This doesn't completely surprise me if your KDC requires
> preauthentication.  If so, it is a Heimdal bug.  MIT has the same bug
> though; it is easy to make.
> 
>     Digant> I think this is the major contributor to my gssapi bind
>     Digant> failing on openldap.
> 
> However the need to specify the enctype for kinit should not affect
> use for GSSAPI bind on the server side doing a gss_accept_sec_context.
> 
> I'd look in your MIT KDC log and make sure the enctype for the ticket
> that is issued (tkt in the log line for the tgs_req) is something that
> is in your keytab.
> 
> Perhaps posting klist -5 -e output from your client with an ldap
> ticket and posting the appropriate ktutil output to show the enctypes
> would be enlightening.
> 
> --Sam
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 




More information about the Kerberos mailing list