Misbehaving krb5 forwarding?

Adar Dembo adar at stanford.edu
Tue Mar 30 06:04:04 EST 2004


I am behind a NAT network topology where one linux box contains two
network cards and serves as a firewall for the other. The first (adar) has
my real IP as well as 10.0.0.1, while the second (adard) has 10.0.0.2. The
first is connected to the Internet via normal CAT5 Ethernet while the
second is connected via an Ethernet crossover cable to the first.

For some reason, my kerberos 5 ticket forwarding is misbehaving in
conjunction with the MIT kerberos 1.2.8 klogind server (this server lacks
any special patches to the kerberos 5 handling). Here is some output from
my machine that exhibit the problem:

adar at adard:~$ kinit -Af
Stanford University (Leland) (adard)
Password for adar at stanford.edu:
adar at adard:~$ klist -af
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: adar at stanford.edu
 
Valid starting     Expires            Service principal
03/29/04 21:04:46  03/30/04 22:04:46  krbtgt/stanford.edu at stanford.edu
        Flags: FIA
        Addresses: (none)
 
 
Kerberos 4 ticket cache: /tmp/tkt1000
Principal: adar at IR.STANFORD.EDU
 
  Issued              Expires             Principal
03/29/04 21:05:51  03/30/04 22:32:12  krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU

adar at adard:~$ klogin elaine20.stanford.edu
kftgt: tgt adar. at IR.STANFORD.EDU forwarded to elaine20.Stanford.EDU
klogind: Can't get forwarded credentials.
Trying krb4 rlogin...
This rlogin session is using DES encryption for all data transmissions.
Last login: Mon Mar 29 16:09:21 from adar
Trying krb4 rsh...
[........]
Print quota is in effect for the Sweet Hall printers.
 
Password for adar at stanford.edu:
[........]

For reference, klogin is a script that executes "kftgt <host>" where
<host> is elaine20.stanford.edu in this case, followed by "rlogin <host>
-x -F". On any other UNIX machine this has produced the proper behavior of
forwarding my tickets to the machine, and giving me a kerberized login.
With mine, however, the forwarding is not working properly, as I am asked
to once again enter a password upon logging in to re-acquire my tickets.

My system is a 2.6.4 kernel running Debian Unstable, and I'm using the MIT
krb5 implementation available through the Debian packages. Neither kftgt
nor rlogin log any output to my syslog, and I can't coax any more
information out of them via debugging switches. What should I do?

-Adar




More information about the Kerberos mailing list