Kerberos Ticket not renewed anymore after being forwarded.
vm@c4k3.space
vm at c4k3.space
Thu Oct 27 07:37:40 EDT 2016
So far my attempt to ask it to the community :-)
But I think I finally managed to find the explanation.
So in case someone else ever has the same problem, searches why and
stumbles onto this page...
The kadmin-protocol that differs between the heimdal-implementation used
in Mac OS and the MIT-implementation on linux seems to be the culprit.
http://kerberos.996246.n3.nabble.com/Lion-problems-tc13877.html
|
| Mar 12, 2012; 9:52pm Arthur Prokosch-2 Arthur Prokosch-2
| ...
| We've wandered into Heimdal territory here and should probably switch
| to [hidden email] or discussions.apple.com. In the meantime:
| if anyone else has seen Mac OS 10.7 Heimdal tickets lose their
| Forwardable and Proxiable flags in the process of initiating GSSAPI
| ssh connections or has an explanation, I'd be quite interested to hear
| off-list.
|
| best,
| -arthur prokosch
| system administrator
| [1]MIT Computer Science and Artificial Intelligence Lab.
| ...
In the meantime I also tested it on MacOS Sierra. Problem is still
there.
I don't know if there is any solution though.
P.S. Anybody who confirms my hypothesis?
vm at c4k3.space schreef op 2016-10-26 14:21:
> Hi,
>
> I hope I'm at the right place here for my issue.
>
> This is the case:
>
>
> On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket:
>
> ---
> macbook013:~ vm$ klist -v
> Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D
> Principal: vm at REALM.COM
> Cache version: 0
>
> Server: krbtgt/REALM.COM at REALM.COM
> Client: vm at REALM.COM
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 342
> Auth time: Oct 26 13:55:09 2016
> End time: Nov 25 12:55:05 2016
> Renew till: Jan 26 12:55:05 2017
> Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable,
> forwardable
> Addresses: addressless
> ---
>
> If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes)
> to a linux-server, the ticket there is not renewable anymore:
>
> ---
> macbook013:~ vm$ ssh linuxserver2
> linuxserver2 ~ # klist -f
> Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000
> Default principal: vm at REALM.COM
>
> Valid starting Expires Service principal
> 10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/REALM.COM at REALM.COM
> Flags: FfPAT
> linuxserver2 ~ # krenew
> krenew: error renewing credentials: KDC can't fulfill requested
> option
> linuxserver2 ~ # kinit -R
> kinit: KDC can't fulfill requested option while renewing credentials
> ---
>
> If I do a kinit on linuxserver1 and get a renewable ticket there and
> ssh
> to linuxserver2, the forwarded ticket stays renewable.
>
> I guess it has something to do with the ssh-client on Mac OS X? (but
> copying the ssh_config from linuxserver1 to the macbook does not solve
> it. Copying the krb5.conf doesn't solve it either)
> Or should I search the cause in another direction?
> Maybe I'm missing something obvious.
>
>
> Thank you for thinking with me!
>
> VM
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list