MIT-Heimdal interop issues
Kevin Coffman
kwc at citi.umich.edu
Fri Jul 23 14:06:29 EDT 2004
I'm seeing a similar problem as reported below testing a heimdal client
with nfsv4. I'm always getting a des-cbc-md4 session key which our
kernel code doesn't like. Should these settings in /etc/krb5.conf (on
the client machine only) limit the enctypes requested in the TGS
request? (This is using gssapi, heimdal client, MIT server, MIT 1.3.4
KDC)
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
The nfs server's keytab has only a des key. The AS request has only
one enctype (des-cbc-crc), but the TGS request has six enctypes and the
session key always winds up being des-cbc-md4.
[kwc at rock gssapi]$ /usr/heimdal/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_20010_Y8C6kf
Principal: kwc at CITI.UMICH.EDU
Cache version: 4
Server: krbtgt/CITI.UMICH.EDU at CITI.UMICH.EDU
Ticket etype: des3-cbc-sha1, kvno 56
Session key: des
Auth time: Jul 23 12:27:56 2004
End time: Jul 27 16:27:56 2004
Renew till: Jul 30 12:27:56 2004
Ticket flags: renewable, initial
Addresses: IPv4:141.211.133.90
Server: nfs/screamer.citi.umich.edu at CITI.UMICH.EDU
Ticket etype: des-cbc-crc, kvno 4
Session key: des-cbc-md4
Auth time: Jul 23 12:27:56 2004
Start time: Jul 23 12:28:09 2004
End time: Jul 27 16:27:56 2004
Ticket flags: transited-policy-checked
Addresses: IPv4:141.211.133.90
[kwc at rock gssapi]$
Jul 23 13:11:19 AS_REQ (1 etypes {1}) 141.211.133.90: ISSUE: authtime
1090602679, etypes {rep=1 tkt=16 ses=1}, kwc at CITI.UMICH.EDU for
krbtgt/CITI.UMICH.EDU at CITI.UMICH.EDU
Jul 23 13:11:25 TGS_REQ (6 etypes {16 5 23 3 2 1}) 141.211.133.90:
ISSUE: authtime 1090602679, etypes {rep=1 tkt=1 ses=2},
kwc at CITI.UMICH.EDU for nfs/screamer.citi.umich.edu at CITI.UMICH.EDU
Any suggestions?
> The klist (Heimdal) on the client shows:
>
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: digant at KERB.UTA.EDU
> Cache version: 4
>
> Server: krbtgt/KERB.UTA.EDU at KERB.UTA.EDU
> Ticket etype: des-cbc-crc, kvno 1
> Session key: des-cbc-md4
> Auth time: Mar 23 17:42:20 2004
> End time: Mar 24 00:20:45 2004
> Ticket flags: initial
> Addresses: IPv4:129.107.56.202
>
> Server: ldap/omicron.kerb.uta.edu at KERB.UTA.EDU
> Ticket etype: des-cbc-crc, kvno 3
> Session key: des-cbc-md4
> Auth time: Mar 23 17:42:20 2004
> Start time: Mar 23 17:42:36 2004
> End time: Mar 24 00:20:45 2004
> Ticket flags: transited-policy-checked
> Addresses: IPv4:129.107.56.202
>
>
>
>
> And the krb5kdc.log on the server (MIT Kerberos) shows:
>
> Mar 23 17:42:36 labrador.uta.edu krb5kdc[11571](info): TGS_REQ (6 etypes {16
> 5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080085340, etypes {rep=2 tkt=1
> ses=2}, digant at KERB.UTA.EDU for ldap/omicron.kerb.uta.edu at KERB.UTA.EDU
>
>
>
> -----Original Message-----
> From: Sam Hartman
> To: Digant Kasundra
> Cc: ''kerberos at mit.edu' '
> Sent: 3/23/2004 5:22 PM
> Subject: Re: MIT-Heimdal interop issues
>
> >>>>> "Digant" == Digant Kasundra <digant at uta.edu> writes:
>
> Digant> Well, for some reason, I'm not getting good results.
> Digant> getting a ticket with kinit on the heimdal side works
> Digant> great if I specify a password. But when using a keytab,
> Digant> it will only work if I tell it manually what encryption
> Digant> type to use, even though ktutil identifies the enc type
> Digant> correctly when listing the keys in that keytab.
>
> This doesn't completely surprise me if your KDC requires
> preauthentication. If so, it is a Heimdal bug. MIT has the same bug
> though; it is easy to make.
>
> Digant> I think this is the major contributor to my gssapi bind
> Digant> failing on openldap.
>
> However the need to specify the enctype for kinit should not affect
> use for GSSAPI bind on the server side doing a gss_accept_sec_context.
>
> I'd look in your MIT KDC log and make sure the enctype for the ticket
> that is issued (tkt in the log line for the tgs_req) is something that
> is in your keytab.
>
> Perhaps posting klist -5 -e output from your client with an ldap
> ticket and posting the appropriate ktutil output to show the enctypes
> would be enlightening.
>
> --Sam
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list