[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cross-realm difficulties

To: Love <lha@stacken.kth.se>
Subject: Re: cross-realm difficulties
From: Priit Randla <priit.randla@eyp.ee>
Date: Mon, 14 Feb 2005 14:08:50 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <ampsz4lchp.fsf@nutcracker.it.su.se>
Organization: UBE
References: <41FF67D1.9040608@eyp.ee> <ampsz4lchp.fsf@nutcracker.it.su.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922

Love wrote:

>Priit Randla <priit.randla@eyp.ee> writes:
>
>  
>
>>Heimdal kdc (BBB) logs says:
>>TGS-REQ priitr@AAA from IPv4:172.26.209.15 for host/srv1.bbb@BBB
>>[renewable, forwardable]
>>Client not found in database: priitr@AAA: No such entry in the database
>>cross-realm AAA -> BBB
>>sending 131 bytes to IPv4:172.26.209.15
>>
>>krb5.conf has both realms described on all involved computers and
>>ticket forward works for AAA->AAA and BBB->BBB.
>>
>>Where should I look next? Anything? Kindly please ... :-).
>>    
>>
>
>You should check the time on the BBB kdc, and the ticket lifetime on the
>krbtgt/BBB@AAA in the BBB realm.
>  
>
    Time is same on both AAA and BBB kdc's - all servers and 
workstations are using NTP to
maintain their clocks. And I verified it too ;-).

>Its easier to check with kvno (MIT kerberos) or kgetcred (Heimdal) to
>verify that the cross realm auth works.
>
>Ie, with AAA credentials, type "kgetcred host/computer@BBB".
>  
>
I can get host/ principals for both realms on both realms without 
problems. ssh even does it for me:
priitr@srv1:~> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: priitr@BBB
 Valid starting     Expires            Service principal
02/14/05 12:08:37  02/15/05 12:08:33  krbtgt/BBB@BBB
02/14/05 12:08:58  02/15/05 12:08:33  krbtgt/AAA@BBB
02/14/05 12:08:59  02/15/05 02:08:59  host/priitrandla2.aaa@AAA
02/14/05 12:10:11  02/15/05 02:10:11  host/testhost1.aaa@AAA

Thanks to Douglas E. Engert's help (he turned my attention to 
auth_to_local), I managed to get at least something working.
Now, using latest openssh 3.9p1 on both machines, I can:
1. ssh server is (using) MIT 1.3.6 (libs), ssh client is (using) Heimdal 
0.6.1rc3 (libs) (SuSe SLES), KDC for AAA is MIT 1.3.6, kdc for BBB is 
MIT 1.3.6 or MIT 1.4 or Heimdal 0.6.1rc3
    Cross-realm works, if server program is using MIT's libs. Both ssh 
and telnet allow me to automatically log in and tgt gets forwarded. This 
is good and expected behavior.
2. ssh client is  MIT 1.3.6 (libs), ssh server is Heimdal 0.6.1rc3 (SuSe 
SLES), kdc for AAA is MIT 1.3.6, KDC for BBB is MIT 1.3.6 or MIT 1.4
    Neither ssh nor telnet will allow login using obtained tgt from 
other realm.

client says:
ssh -vvvvvvvvvvv srv1.bbb
debug2: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue:
publickey,gssapi-with-mic,gssapi,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,gssapi,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactiva,password

server says:
debug3: mm_request_receive entering
debug3: monitor_read: checking request 39
 debug1: Received some client credentials
debug3: mm_request_send entering: type 40
debug3: mm_request_receive entering
debug3: monitor_read: checking request 43
debug3: mm_request_send entering: type 44
debug3: mm_request_receive entering
debug3: monitor_read: checking request 41
debug3: mm_answer_gss_userok: sending result 0
debug3: mm_request_send entering: type 42
Failed gssapi-with-mic for priitr from ::ffff:172.26.209.15 port 44702 ssh2

No idea here.

3. ssh client is  MIT 1.3.6 (libs), ssh server is Heimdal 0.6.1rc3 (SuSe 
SLES), KDC is Heimdal 0.6.1rc3
Trying to do:
kvno host/srv1.bbb@BBB using priitr@AAA tgt I get already familiar message:
host/srv1.bbb@BBB: Requested effective lifetime is negative or too short 
while getting credentials

kdc logfor BBB says:
TGS-REQ priitr@AAA from IPv4:172.26.209.15 for host/srv1.bbb@BBB 
[renewable, forwardable]
Client not found in database: priitr@EYP.EE: No such entry in the database
cross-realm EYP.EE -> SEB.EE
sending 131 bytes to IPv4:172.26.209.15

When I do 'kvno host/srv1.bbb@BBB' using priitr@BBB tgt, I do get 
required principal:
host/srv1.bbb: kvno = 1

principal info from kadmin:
       Principal: host/srv1.bbb@BBB
       Principal expires: never
        Password expires: never
    Last password change: never
         Max ticket life: 1 day
      Max renewable life: 1 week
                    Kvno: 1
                   Mkvno: 0
                  Policy: none
   Last successful login: never
       Last failed login: never
      Failed login count: 0
           Last modified: 2005-01-25 14:17:27 UTC
                Modifier: kadmin/admin@BBB
              Attributes:
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt), 
des-cbc-md4(pw-salt), des-cbc-md5(pw-salt), des3-cbc-sha1(pw-salt)

Any ideas where to look next?

Regards,
Priit

Follow-Ups:
- Re: cross-realm difficulties
  - From: Priit Randla <priit.randla@eyp.ee>
- Re: cross-realm difficulties
  - From: Priit Randla <priit.randla@eyp.ee>

References:
- cross-realm difficulties
  - From: Priit Randla <priit.randla@eyp.ee>
- Re: cross-realm difficulties
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: heimdal on Macintosh OS X.3 ?
Next by Date: Solaris 9 + Heimdal KDC?
Prev by thread: Re: cross-realm difficulties
Next by thread: Re: cross-realm difficulties
Index(es):
- Date
- Thread