MIT-Heimdal interop issues

Digant Kasundra digant at uta.edu
Tue Mar 23 18:42:09 EST 2004 

The klist (Heimdal) on the client shows:

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: digant at KERB.UTA.EDU
    Cache version: 4
 
Server: krbtgt/KERB.UTA.EDU at KERB.UTA.EDU
Ticket etype: des-cbc-crc, kvno 1
Session key: des-cbc-md4
Auth time:  Mar 23 17:42:20 2004
End time:   Mar 24 00:20:45 2004
Ticket flags: initial
Addresses: IPv4:129.107.56.202
 
Server: ldap/omicron.kerb.uta.edu at KERB.UTA.EDU
Ticket etype: des-cbc-crc, kvno 3
Session key: des-cbc-md4
Auth time:  Mar 23 17:42:20 2004
Start time: Mar 23 17:42:36 2004
End time:   Mar 24 00:20:45 2004
Ticket flags: transited-policy-checked
Addresses: IPv4:129.107.56.202




And the krb5kdc.log on the server (MIT Kerberos) shows:

Mar 23 17:42:36 labrador.uta.edu krb5kdc[11571](info): TGS_REQ (6 etypes {16
5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080085340, etypes {rep=2 tkt=1
ses=2}, digant at KERB.UTA.EDU for ldap/omicron.kerb.uta.edu at KERB.UTA.EDU



-----Original Message-----
From: Sam Hartman
To: Digant Kasundra
Cc: ''kerberos at mit.edu' '
Sent: 3/23/2004 5:22 PM
Subject: Re: MIT-Heimdal interop issues

>>>>> "Digant" == Digant Kasundra <digant at uta.edu> writes:

    Digant> Well, for some reason, I'm not getting good results.
    Digant> getting a ticket with kinit on the heimdal side works
    Digant> great if I specify a password.  But when using a keytab,
    Digant> it will only work if I tell it manually what encryption
    Digant> type to use, even though ktutil identifies the enc type
    Digant> correctly when listing the keys in that keytab.

This doesn't completely surprise me if your KDC requires
preauthentication.  If so, it is a Heimdal bug.  MIT has the same bug
though; it is easy to make.

    Digant> I think this is the major contributor to my gssapi bind
    Digant> failing on openldap.

However the need to specify the enctype for kinit should not affect
use for GSSAPI bind on the server side doing a gss_accept_sec_context.

I'd look in your MIT KDC log and make sure the enctype for the ticket
that is issued (tkt in the log line for the tgs_req) is something that
is in your keytab.

Perhaps posting klist -5 -e output from your client with an ldap
ticket and posting the appropriate ktutil output to show the enctypes
would be enlightening.

--Sam

More information about the Kerberos mailing list