Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Kerberos Ticket not renewed anymore after being forwarded.
894 views
Skip to first unread message
v...@c4k3.space
Oct 26, 2016, 8:21:41 AM10/26/16
to kerb...@mit.edu
Hi,
I hope I'm at the right place here for my issue.
This is the case:
On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket:
---
macbook013:~ vm$ klist -v
Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D
Principal: v...@REALM.COM
Cache version: 0
Server: krbtgt/REAL...@REALM.COM
Client: v...@REALM.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 342
Auth time: Oct 26 13:55:09 2016
End time: Nov 25 12:55:05 2016
Renew till: Jan 26 12:55:05 2017
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable,
forwardable
Addresses: addressless
---
If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes)
to a linux-server, the ticket there is not renewable anymore:
---
macbook013:~ vm$ ssh linuxserver2
linuxserver2 ~ # klist -f
Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000
Default principal: v...@REALM.COM
Valid starting Expires Service principal
10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/REAL...@REALM.COM
Flags: FfPAT
linuxserver2 ~ # krenew
krenew: error renewing credentials: KDC can't fulfill requested option
linuxserver2 ~ # kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
---
If I do a kinit on linuxserver1 and get a renewable ticket there and ssh
to linuxserver2, the forwarded ticket stays renewable.
I guess it has something to do with the ssh-client on Mac OS X? (but
copying the ssh_config from linuxserver1 to the macbook does not solve
it. Copying the krb5.conf doesn't solve it either)
Or should I search the cause in another direction?
Maybe I'm missing something obvious.
Thank you for thinking with me!
VM
I hope I'm at the right place here for my issue.
This is the case:
On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket:
---
macbook013:~ vm$ klist -v
Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D
Principal: v...@REALM.COM
Cache version: 0
Server: krbtgt/REAL...@REALM.COM
Client: v...@REALM.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 342
Auth time: Oct 26 13:55:09 2016
End time: Nov 25 12:55:05 2016
Renew till: Jan 26 12:55:05 2017
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable,
forwardable
Addresses: addressless
---
If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes)
to a linux-server, the ticket there is not renewable anymore:
---
macbook013:~ vm$ ssh linuxserver2
linuxserver2 ~ # klist -f
Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000
Default principal: v...@REALM.COM
Valid starting Expires Service principal
10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/REAL...@REALM.COM
Flags: FfPAT
linuxserver2 ~ # krenew
krenew: error renewing credentials: KDC can't fulfill requested option
linuxserver2 ~ # kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
---
If I do a kinit on linuxserver1 and get a renewable ticket there and ssh
to linuxserver2, the forwarded ticket stays renewable.
I guess it has something to do with the ssh-client on Mac OS X? (but
copying the ssh_config from linuxserver1 to the macbook does not solve
it. Copying the krb5.conf doesn't solve it either)
Or should I search the cause in another direction?
Maybe I'm missing something obvious.
Thank you for thinking with me!
VM
v...@c4k3.space
Oct 27, 2016, 7:37:48 AM10/27/16
to kerb...@mit.edu
So far my attempt to ask it to the community :-)
But I think I finally managed to find the explanation.
So in case someone else ever has the same problem, searches why and
stumbles onto this page...
The kadmin-protocol that differs between the heimdal-implementation used
in Mac OS and the MIT-implementation on linux seems to be the culprit.
http://kerberos.996246.n3.nabble.com/Lion-problems-tc13877.html
|
| Mar 12, 2012; 9:52pm Arthur Prokosch-2 Arthur Prokosch-2
| ...
| We've wandered into Heimdal territory here and should probably switch
| to [hidden email] or discussions.apple.com. In the meantime:
| if anyone else has seen Mac OS 10.7 Heimdal tickets lose their
| Forwardable and Proxiable flags in the process of initiating GSSAPI
| ssh connections or has an explanation, I'd be quite interested to hear
| off-list.
|
| best,
| -arthur prokosch
| system administrator
| [1]MIT Computer Science and Artificial Intelligence Lab.
| ...
In the meantime I also tested it on MacOS Sierra. Problem is still
there.
I don't know if there is any solution though.
P.S. Anybody who confirms my hypothesis?
v...@c4k3.space schreef op 2016-10-26 14:21:
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Simo Sorce
Oct 27, 2016, 9:13:47 AM10/27/16
to v...@c4k3.space, kerb...@mit.edu
kadmin is not involved with ticket renewal or delegation.
more likely MacOSX GSSAPI implementation requests a forwardable TGT that
is not renewable and then forwards that one to the remote server.
It is not a bad idea to limit forwarded tickets that way.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
more likely MacOSX GSSAPI implementation requests a forwardable TGT that
is not renewable and then forwards that one to the remote server.
It is not a bad idea to limit forwarded tickets that way.
Simo.
Simo Sorce * Red Hat, Inc * New York
0 new messages