Kerberos Ticket not renewed anymore after being forwarded.
vm@c4k3.space
vm at c4k3.space
Wed Oct 26 08:21:35 EDT 2016
Hi,
I hope I'm at the right place here for my issue.
This is the case:
On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket:
---
macbook013:~ vm$ klist -v
Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D
Principal: vm at REALM.COM
Cache version: 0
Server: krbtgt/REALM.COM at REALM.COM
Client: vm at REALM.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 342
Auth time: Oct 26 13:55:09 2016
End time: Nov 25 12:55:05 2016
Renew till: Jan 26 12:55:05 2017
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable,
forwardable
Addresses: addressless
---
If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes)
to a linux-server, the ticket there is not renewable anymore:
---
macbook013:~ vm$ ssh linuxserver2
linuxserver2 ~ # klist -f
Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000
Default principal: vm at REALM.COM
Valid starting Expires Service principal
10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/REALM.COM at REALM.COM
Flags: FfPAT
linuxserver2 ~ # krenew
krenew: error renewing credentials: KDC can't fulfill requested option
linuxserver2 ~ # kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
---
If I do a kinit on linuxserver1 and get a renewable ticket there and ssh
to linuxserver2, the forwarded ticket stays renewable.
I guess it has something to do with the ssh-client on Mac OS X? (but
copying the ssh_config from linuxserver1 to the macbook does not solve
it. Copying the krb5.conf doesn't solve it either)
Or should I search the cause in another direction?
Maybe I'm missing something obvious.
Thank you for thinking with me!
VM
More information about the Kerberos
mailing list