[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MIT-Heimdal interop issues

To: Heimdal list <heimdal-discuss@sics.se>
Subject: Re: MIT-Heimdal interop issues
From: Kevin Coffman <kwc@citi.umich.edu>
Date: Fri, 23 Jul 2004 14:06:29 -0400
Cc: Kerberos List <kerberos@mit.edu>, Kevin Coffman <kwc@citi.umich.edu>
In-reply-to: Your message of "Tue, 23 Mar 2004 17:42:09 CST." <75333DD5963159499F497735AC2A3FC301750193@exchange.uta.edu>
Sender: owner-heimdal-discuss@sics.se

I'm seeing a similar problem as reported below testing a heimdal client 
with nfsv4.  I'm always getting a des-cbc-md4 session key which our 
kernel code doesn't like.  Should these settings in /etc/krb5.conf (on 
the client machine only) limit the enctypes requested in the TGS 
request?  (This is using gssapi, heimdal client, MIT server, MIT 1.3.4 
KDC)

 default_etypes = des-cbc-crc
 default_etypes_des = des-cbc-crc
 default_tkt_enctypes = des-cbc-crc 
 default_tgs_enctypes = des-cbc-crc

The nfs server's keytab has only a des key.  The AS request has only 
one enctype (des-cbc-crc), but the TGS request has six enctypes and the 
session key always winds up being des-cbc-md4.

[kwc@rock gssapi]$ /usr/heimdal/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_20010_Y8C6kf
        Principal: kwc@CITI.UMICH.EDU
    Cache version: 4

Server: krbtgt/CITI.UMICH.EDU@CITI.UMICH.EDU
Ticket etype: des3-cbc-sha1, kvno 56
Session key: des
Auth time:  Jul 23 12:27:56 2004
End time:   Jul 27 16:27:56 2004
Renew till: Jul 30 12:27:56 2004
Ticket flags: renewable, initial
Addresses: IPv4:141.211.133.90

Server: nfs/screamer.citi.umich.edu@CITI.UMICH.EDU
Ticket etype: des-cbc-crc, kvno 4
Session key: des-cbc-md4
Auth time:  Jul 23 12:27:56 2004
Start time: Jul 23 12:28:09 2004
End time:   Jul 27 16:27:56 2004
Ticket flags: transited-policy-checked
Addresses: IPv4:141.211.133.90

[kwc@rock gssapi]$

Jul 23 13:11:19 AS_REQ (1 etypes {1}) 141.211.133.90: ISSUE: authtime 
1090602679, etypes {rep=1 tkt=16 ses=1}, kwc@CITI.UMICH.EDU for 
krbtgt/CITI.UMICH.EDU@CITI.UMICH.EDU
Jul 23 13:11:25 TGS_REQ (6 etypes {16 5 23 3 2 1}) 141.211.133.90: 
ISSUE: authtime 1090602679, etypes {rep=1 tkt=1 ses=2}, 
kwc@CITI.UMICH.EDU for nfs/screamer.citi.umich.edu@CITI.UMICH.EDU

Any suggestions?



> The klist (Heimdal) on the client shows:
> 
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: digant@KERB.UTA.EDU
>     Cache version: 4
>  
> Server: krbtgt/KERB.UTA.EDU@KERB.UTA.EDU
> Ticket etype: des-cbc-crc, kvno 1
> Session key: des-cbc-md4
> Auth time:  Mar 23 17:42:20 2004
> End time:   Mar 24 00:20:45 2004
> Ticket flags: initial
> Addresses: IPv4:129.107.56.202
>  
> Server: ldap/omicron.kerb.uta.edu@KERB.UTA.EDU
> Ticket etype: des-cbc-crc, kvno 3
> Session key: des-cbc-md4
> Auth time:  Mar 23 17:42:20 2004
> Start time: Mar 23 17:42:36 2004
> End time:   Mar 24 00:20:45 2004
> Ticket flags: transited-policy-checked
> Addresses: IPv4:129.107.56.202
> 
> 
> 
> 
> And the krb5kdc.log on the server (MIT Kerberos) shows:
> 
> Mar 23 17:42:36 labrador.uta.edu krb5kdc[11571](info): TGS_REQ (6 etypes {16
> 5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080085340, etypes {rep=2 tkt=1
> ses=2}, digant@KERB.UTA.EDU for ldap/omicron.kerb.uta.edu@KERB.UTA.EDU
> 
> 
> 
> -----Original Message-----
> From: Sam Hartman
> To: Digant Kasundra
> Cc: ''kerberos@mit.edu' '
> Sent: 3/23/2004 5:22 PM
> Subject: Re: MIT-Heimdal interop issues
> 
> >>>>> "Digant" == Digant Kasundra <digant@uta.edu> writes:
> 
>     Digant> Well, for some reason, I'm not getting good results.
>     Digant> getting a ticket with kinit on the heimdal side works
>     Digant> great if I specify a password.  But when using a keytab,
>     Digant> it will only work if I tell it manually what encryption
>     Digant> type to use, even though ktutil identifies the enc type
>     Digant> correctly when listing the keys in that keytab.
> 
> This doesn't completely surprise me if your KDC requires
> preauthentication.  If so, it is a Heimdal bug.  MIT has the same bug
> though; it is easy to make.
> 
>     Digant> I think this is the major contributor to my gssapi bind
>     Digant> failing on openldap.
> 
> However the need to specify the enctype for kinit should not affect
> use for GSSAPI bind on the server side doing a gss_accept_sec_context.
> 
> I'd look in your MIT KDC log and make sure the enctype for the ticket
> that is issued (tkt in the log line for the tgs_req) is something that
> is in your keytab.
> 
> Perhaps posting klist -5 -e output from your client with an ldap
> ticket and posting the appropriate ktutil output to show the enctypes
> would be enlightening.
> 
> --Sam
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Follow-Ups:
- Re: MIT-Heimdal interop issues
  - From: Kevin Coffman <kwc@citi.umich.edu>

Prev by Date: Heimdal repository on samba.org
Next by Date: Re: MIT-Heimdal interop issues
Prev by thread: Re: Heimdal repository on samba.org
Next by thread: Re: MIT-Heimdal interop issues
Index(es):
- Date
- Thread