Alexander Botero-Lowry
2006-Feb-13 04:46 UTC
heimdal and mit incompatability when using GSSAPI
My college is kerberized, and so in many situations authentication is both
faster and more secure using kerberos tickets. Sadly I have run into a problem.
The Heimdal included in FreeBSD seems to be incompatible with my school's
servers running MIT kerberos when authenticating over gssapi.
For example ssh in verbose mode returns:
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: A token was invalid
Unknown error: 0
when I try to connect to oberon. This same connection works fine on another
machine with MIT krb5.
Interestingly the tickets are issued even though the authentication fails:
[0:49] alex@Laptop: ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: boterola@REED.EDU
Issued Expires Principal
Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU
Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU
I am also able to use GSSAPI in thunderbird (linux version with MIT krb5
libraries).
Does anyone have any insight into how to get GSSAPI authentication to work
betwixt the default Heimdal in FreeBSD and our MIT-running servers?
Alex
On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote:> My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem.> The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.Which version of FreeBSD and Heimdal are you using?> For example ssh in verbose mode returns:> debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: A token was invalid > Unknown error: 0man krb.conf may give some clue to heimdal kerberos to be more MIT-compatible.> when I try to connect to oberon. This same connection works fine on another machine with MIT krb5.> Interestingly the tickets are issued even though the authentication fails:> [0:49] alex@Laptop: ~> klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: boterola@REED.EDU> Issued Expires Principal > Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU > Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDUHow and when did you get krbtgt? Did you use kinit? (man kinit may help a little)> I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).Under Linux OS? I didn't find any linux-thunderbird at the ports tree.> Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?Well, imo before using GSSAPI you may ensure that kerberos itself is working (ie what i've written above). WBR -- Boris B. Samorodov, Research Engineer InPharmTech Co, http://www.ipt.ru Telephone & Internet Service Provider