MIT + Heimdal + openssh == cross realm difficulties

Priit Randla priit.randla at eyp.ee
Wed Feb 2 03:54:31 EST 2005 


     Hello,

I already posted following message to heimdal-discuss mailinglist, but, as the 
problem involves also MIT Kerberos 5, I'll try my luck here also...


    Maybe somebody here is able to help me with my problem involving
Heimdal, MIT and openssh...
Currently we've got a mixed Kerberos 5 infrastructure in place - MIT
Kerberos5 + Windows AD stuff.
Usual stuff - user data on LDAP, password verification with Kerberos.
Our applications are relying on ticket-forwarding extensively, so
whatever we do, ticket forward has to work.
Now, as we're changing our Linux-platform to SuSe, we're going to
migrate to Heimdal. Unfortunately ;-) until
we're finished with migration, we've got to run both MIT and Heimdal
clients and kdc's - so I've got to implement
some kind of cross realm trust between our 3 Kerberos realms (MIT,
Heimdal, AD).
As a first step, i'd like to get cross-realm authentication to work for
openssh with gssapi.

What I've got:
MIT kdc and clients are version 1.3.4
Heimdal kdc and clients are 0.6.1rc3 as found in SuSe 9.0
I tried various versions of openssh, currently i've got
latest-and-greatest 3.9p1 with patches for #918 and #922 from bugzilla
on both MIT and Heimdal based computers.
Let's say I've got realms: AAA default on MIT based machines, BBB on
Heimdal ones.

What I've done:
1. Installed Heimdal kdc, created realm BBB and some principals for
users and involved hosts.
2. Battled pam on SuSe to obtain TGT on login, verified, that ticket
forward works within realm BBB.
3. Created principals for cross-realm authentication: krbtgt/AAA at BBB and
krbtgt/BBB at AAA on both MIT and Heimdal kdc's,
   verified that kvno's, enctypes and passwords are all the same.
4. Verified, that both ssh_config contains options GSSAPIAuthentication
yes,GSSAPIDelegateCredentials yes ; sshd_config
    has GSSAPIAuthentication yes.
5. Verified that I can do kgetcred krbtgt/AAA at BBB and krbtgt/BBB at AAA,
tgt for BBB at BBB is forwardable, others aren't.

Now, when I attempt ssh connection as priitr at AAA on 172.26.209.15 using
MIT to machine srv1.bbb which uses Heimdal, i got following debug
information:
...
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Miscellaneous failure
Requested effective lifetime is negative or too short      ( -> Kerberos
error KRB5KDC_ERR_NEVER_VALID )
debug1: Trying to start again
.... and ssh prompts for a password.

MIT kdc (AAA) log says:
Feb  1 10:25:39 src at kdc2 krb5kdc[20593]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.26.209.15: ISSUE: authtime 1107246339,
etypes {rep=1 tkt=1 ses=1}, priitr at AAA for krbtgt/AAA at AAA
Feb  1 10:26:35 src at kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
ses=1}, priitr at AAA for krbtgt/BBB at AAA
Feb  1 10:26:35 src at kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
ses=1}, priitr at AAA for krbtgt/BBB at AAA

Heimdal kdc (BBB) logs says:
TGS-REQ priitr at AAA from IPv4:172.26.209.15 for host/srv1.bbb at BBB
[renewable, forwardable]
Client not found in database: priitr at AAA: No such entry in the database
cross-realm AAA -> BBB
sending 131 bytes to IPv4:172.26.209.15

krb5.conf has both realms described on all involved computers and ticket
forward works for AAA->AAA and BBB->BBB.

Where should I look next? Anything? Kindly please ... :-).

Priit

More information about the Kerberos mailing list