[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cross-realm difficulties
Hello,
Maybe somebody here is able to help me with my problem involving
Heimdal, MIT and openssh...
Currently we've got a mixed Kerberos 5 infrastructure in place - MIT
Kerberos5 + Windows AD stuff.
Usual stuff - user data on LDAP, password verification with Kerberos.
Our applications are relying on ticket-forwarding extensively, so
whatever we do, ticket forward has to work.
Now, as we're changing our Linux-platform to SuSe, we're going to
migrate to Heimdal. Unfortunately ;-) until
we're finished with migration, we've got to run both MIT and Heimdal
clients and kdc's - so I've got to implement
some kind of cross realm trust between our 3 Kerberos realms (MIT,
Heimdal, AD).
As a first step, i'd like to get cross-realm authentication to work for
openssh with gssapi.
What I've got:
MIT kdc and clients are version 1.3.4
Heimdal kdc and clients are 0.6.1rc3 as found in SuSe 9.0
I tried various versions of openssh, currently i've got
latest-and-greatest 3.9p1 with patches for #918 and #922 from bugzilla
on both MIT and Heimdal based computers.
Let's say I've got realms: AAA default on MIT based machines, BBB on
Heimdal ones.
What I've done:
1. Installed Heimdal kdc, created realm BBB and some principals for
users and involved hosts.
2. Battled pam on SuSe to obtain TGT on login, verified, that ticket
forward works within realm BBB.
3. Created principals for cross-realm authentication: krbtgt/AAA@BBB and
krbtgt/BBB@AAA on both MIT and Heimdal kdc's,
verified that kvno's, enctypes and passwords are all the same.
4. Verified, that both ssh_config contains options GSSAPIAuthentication
yes,GSSAPIDelegateCredentials yes ; sshd_config
has GSSAPIAuthentication yes.
5. Verified that I can do kgetcred krbtgt/AAA@BBB and krbtgt/BBB@AAA,
tgt for BBB@BBB is forwardable, others aren't.
Now, when I attempt ssh connection as priitr@AAA on 172.26.209.15 using
MIT to machine srv1.bbb which uses Heimdal, i got following debug
information:
...
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Miscellaneous failure
Requested effective lifetime is negative or too short ( -> Kerberos
error KRB5KDC_ERR_NEVER_VALID )
debug1: Trying to start again
.... and ssh prompts for a password.
MIT kdc (AAA) log says:
Feb 1 10:25:39 src@kdc2 krb5kdc[20593]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.26.209.15: ISSUE: authtime 1107246339,
etypes {rep=1 tkt=1 ses=1}, priitr@AAA for krbtgt/AAA@AAA
Feb 1 10:26:35 src@kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
ses=1}, priitr@AAA for krbtgt/BBB@AAA
Feb 1 10:26:35 src@kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
ses=1}, priitr@AAA for krbtgt/BBB@AAA
Heimdal kdc (BBB) logs says:
TGS-REQ priitr@AAA from IPv4:172.26.209.15 for host/srv1.bbb@BBB
[renewable, forwardable]
Client not found in database: priitr@AAA: No such entry in the database
cross-realm AAA -> BBB
sending 131 bytes to IPv4:172.26.209.15
krb5.conf has both realms described on all involved computers and ticket
forward works for AAA->AAA and BBB->BBB.
Where should I look next? Anything? Kindly please ... :-).
Priit