[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cross-realm difficulties




    Hello,

    Maybe somebody here is able to help me with my problem involving 
Heimdal, MIT and openssh...
Currently we've got a mixed Kerberos 5 infrastructure in place - MIT 
Kerberos5 + Windows AD stuff.
Usual stuff - user data on LDAP, password verification with Kerberos.
Our applications are relying on ticket-forwarding extensively, so 
whatever we do, ticket forward has to work.
Now, as we're changing our Linux-platform to SuSe, we're going to 
migrate to Heimdal. Unfortunately ;-) until
we're finished with migration, we've got to run both MIT and Heimdal 
clients and kdc's - so I've got to implement
some kind of cross realm trust between our 3 Kerberos realms (MIT, 
Heimdal, AD).
As a first step, i'd like to get cross-realm authentication to work for 
openssh with gssapi.

What I've got:
MIT kdc and clients are version 1.3.4
Heimdal kdc and clients are 0.6.1rc3 as found in SuSe 9.0
I tried various versions of openssh, currently i've got 
latest-and-greatest 3.9p1 with patches for #918 and #922 from bugzilla
on both MIT and Heimdal based computers.
Let's say I've got realms: AAA default on MIT based machines, BBB on 
Heimdal ones.

What I've done:
1. Installed Heimdal kdc, created realm BBB and some principals for 
users and involved hosts.
2. Battled pam on SuSe to obtain TGT on login, verified, that ticket 
forward works within realm BBB.
3. Created principals for cross-realm authentication: krbtgt/AAA@BBB and 
krbtgt/BBB@AAA on both MIT and Heimdal kdc's,
   verified that kvno's, enctypes and passwords are all the same.
4. Verified, that both ssh_config contains options GSSAPIAuthentication 
yes,GSSAPIDelegateCredentials yes ; sshd_config
    has GSSAPIAuthentication yes.
5. Verified that I can do kgetcred krbtgt/AAA@BBB and krbtgt/BBB@AAA, 
tgt for BBB@BBB is forwardable, others aren't.

Now, when I attempt ssh connection as priitr@AAA on 172.26.209.15 using 
MIT to machine srv1.bbb which uses Heimdal, i got following debug 
information:
...
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Miscellaneous failure
Requested effective lifetime is negative or too short      ( -> Kerberos 
error KRB5KDC_ERR_NEVER_VALID )
debug1: Trying to start again
.... and ssh prompts for a password.

MIT kdc (AAA) log says:
Feb  1 10:25:39 src@kdc2 krb5kdc[20593]: AS_REQ (7 etypes {18 17 16 23 1 
3 2}) 172.26.209.15: ISSUE: authtime 1107246339,
etypes {rep=1 tkt=1 ses=1}, priitr@AAA for krbtgt/AAA@AAA
Feb  1 10:26:35 src@kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23 
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1 
ses=1}, priitr@AAA for krbtgt/BBB@AAA
Feb  1 10:26:35 src@kdc2 krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23 
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1 
ses=1}, priitr@AAA for krbtgt/BBB@AAA

Heimdal kdc (BBB) logs says:
TGS-REQ priitr@AAA from IPv4:172.26.209.15 for host/srv1.bbb@BBB 
[renewable, forwardable]
Client not found in database: priitr@AAA: No such entry in the database
cross-realm AAA -> BBB
sending 131 bytes to IPv4:172.26.209.15

krb5.conf has both realms described on all involved computers and ticket 
forward works for AAA->AAA and BBB->BBB.

Where should I look next? Anything? Kindly please ... :-).

Priit