[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mixing heimdal and MIT clients.

Q for the list:

If I'm using heimdal to obtain the TGT, should another client linked  
against MIT be able to read the ccache and fetch a service ticket?  I  
ask because from what I've read I think it should, but for the life  
of me I can't get it to work.

Scenario:  logins with pam_krb5 (linked against heimdal-1.0.1) and an  
AD KDC.  Clients (Firefox and smbclient, frex) linked against MIT 1.6.

I can work around Firefox by setting network.negotiate-auth.gsslib to  
heimdal's libgssapi, after which integrated auth works just fine in  
Firefox.  But fixing smbclient this way would mean forking a  
distribution package, linking against heimdal, and pinning it--*or*  
mucking about with symlinks--neither of which I'd like to do.

I've traced smbclient and I can see it opening the ccache correctly,  
but it fails to note the TGT I have.  The specific error in both the  
Firefox and smbclient is KRB5_NO_TKT_IN_RLM:

(After a pam_krb5 login)
user@xubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_10020
         Principal: user@TEST.DOMAIN.LOCAL

   Issued           Expires          Principal
Jan 14 14:13:26  Jan 14 20:53:26  krbtgt/ 

user@xubuntu:~$ smbclient -k //testdc.test.domain.local/xfer
ads_krb5_mk_req: krb5_get_credentials failed for testdc 
$@TEST.DOMAIN.LOCAL (Cannot find ticket for requested realm)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot  
find ticket for requested realm
session setup failed: SUCCESS - 0

Clearly I'm wrong about something.  Any help would be appreciated.

-- Tim