MIT + Heimdal + openssh == cross realm difficulties

Henry B. Hotz hotz at jpl.nasa.gov
Tue Feb 8 14:14:02 EST 2005 

It's not clear to me why the MIT and Heimdal realms need to be  
different.

You can import an MIT database into Heimdal with hprop.  Google for the  
details, but you export a MIT dump file with some specific options and  
then use hprop to read it into Heimdal.  There's some place in  
Switzerland that is running Heimdal slaves to MIT masters in order to  
respond to AFS authentication requests.  (Note there is currently no  
code to go the other direction.)

Also Heimdal and MIT clients will happily use the other's servers.

On Feb 2, 2005, at 12:56 AM, kerberos-request at mit.edu wrote:

> Date: Wed, 02 Feb 2005 10:54:31 +0200
> From: Priit Randla <priit.randla at eyp.ee>
> To: kerberos at mit.edu
> Subject: MIT + Heimdal + openssh == cross realm difficulties
> Message-ID: <42009547.9070706 at eyp.ee>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 12
>
>
>
>      Hello,
>
> I already posted following message to heimdal-discuss mailinglist,  
> but, as the
> problem involves also MIT Kerberos 5, I'll try my luck here also...
>
>
>     Maybe somebody here is able to help me with my problem involving
> Heimdal, MIT and openssh...
> Currently we've got a mixed Kerberos 5 infrastructure in place - MIT
> Kerberos5 + Windows AD stuff.
> Usual stuff - user data on LDAP, password verification with Kerberos.
> Our applications are relying on ticket-forwarding extensively, so
> whatever we do, ticket forward has to work.
> Now, as we're changing our Linux-platform to SuSe, we're going to
> migrate to Heimdal. Unfortunately ;-) until
> we're finished with migration, we've got to run both MIT and Heimdal
> clients and kdc's - so I've got to implement
> some kind of cross realm trust between our 3 Kerberos realms (MIT,
> Heimdal, AD).
> As a first step, i'd like to get cross-realm authentication to work for
> openssh with gssapi.
>
> What I've got:
> MIT kdc and clients are version 1.3.4
> Heimdal kdc and clients are 0.6.1rc3 as found in SuSe 9.0
> I tried various versions of openssh, currently i've got
> latest-and-greatest 3.9p1 with patches for #918 and #922 from bugzilla
> on both MIT and Heimdal based computers.
> Let's say I've got realms: AAA default on MIT based machines, BBB on
> Heimdal ones.
>
> What I've done:
> 1. Installed Heimdal kdc, created realm BBB and some principals for
> users and involved hosts.
> 2. Battled pam on SuSe to obtain TGT on login, verified, that ticket
> forward works within realm BBB.
> 3. Created principals for cross-realm authentication: krbtgt/AAA at BBB  
> and
> krbtgt/BBB at AAA on both MIT and Heimdal kdc's,
>    verified that kvno's, enctypes and passwords are all the same.
> 4. Verified, that both ssh_config contains options GSSAPIAuthentication
> yes,GSSAPIDelegateCredentials yes ; sshd_config
>     has GSSAPIAuthentication yes.
> 5. Verified that I can do kgetcred krbtgt/AAA at BBB and krbtgt/BBB at AAA,
> tgt for BBB at BBB is forwardable, others aren't.
>
> Now, when I attempt ssh connection as priitr at AAA on 172.26.209.15 using
> MIT to machine srv1.bbb which uses Heimdal, i got following debug
> information:
> ...
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Miscellaneous failure
> Requested effective lifetime is negative or too short      ( ->  
> Kerberos
> error KRB5KDC_ERR_NEVER_VALID )
> debug1: Trying to start again
> .... and ssh prompts for a password.
>
> MIT kdc (AAA) log says:
> Feb  1 10:25:39 src at kdc2 krb5kdc[20593]: AS_REQ (7 etypes {18 17 16 23  
> 1
> 3 2}) 172.26.209.15: ISSUE: authtime 1107246339,
> etypes {rep=1 tkt=1 ses=1}, priitr at AAA for krbtgt/AAA at AAA
> Feb  1 10:26:35 src at kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
> 1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
> ses=1}, priitr at AAA for krbtgt/BBB at AAA
> Feb  1 10:26:35 src at kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
> 1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
> ses=1}, priitr at AAA for krbtgt/BBB at AAA
>
> Heimdal kdc (BBB) logs says:
> TGS-REQ priitr at AAA from IPv4:172.26.209.15 for host/srv1.bbb at BBB
> [renewable, forwardable]
> Client not found in database: priitr at AAA: No such entry in the database
> cross-realm AAA -> BBB
> sending 131 bytes to IPv4:172.26.209.15
>
> krb5.conf has both realms described on all involved computers and  
> ticket
> forward works for AAA->AAA and BBB->BBB.
>
> Where should I look next? Anything? Kindly please ... :-).
>
> Priit
>
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Kerberos mailing list