[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mixing heimdal and MIT clients.

--On måndag, måndag 14 jan 2008 14.49.22 -0600 "Timothy J. Miller"
<tmiller@mitre.org> wrote:

> Q for the list:
> If I'm using heimdal to obtain the TGT, should another client linked
> against MIT be able to read the ccache and fetch a service ticket?  I ask
> because from what I've read I think it should, but for the life of me I
> can't get it to work.

It works here. OS X, first klist invocation is MIT, second is Heimdal: 

rasmus:~ mansaxel$ /usr/bin/klist 
Kerberos 5 ticket cache: 'API:0'
Default principal: mansaxel@KTHNOC.NET

Valid Starting     Expires            Service Principal
01/15/08 06:23:54  01/15/08 16:23:14  krbtgt/KTHNOC.NET@KTHNOC.NET
01/15/08 06:24:01  01/15/08 16:23:14  krbtgt/BESSERWISSER.ORG@KTHNOC.NET
01/15/08 06:24:07  01/15/08 16:23:14  afs@BESSERWISSER.ORG
01/15/08 06:24:11  01/15/08 16:23:14  host/bardisk.kthnoc.net@KTHNOC.NET

klist: No Kerberos 4 tickets in credentials cache
rasmus:~ mansaxel$ /usr/heimdal/bin/klist 
Credentials cache: API:0
        Principal: mansaxel@KTHNOC.NET

  Issued           Expires          Principal
Jan 15 06:23:54  Jan 15 16:23:14  krbtgt/KTHNOC.NET@KTHNOC.NET
Jan 15 06:24:01  Jan 15 16:23:14  krbtgt/BESSERWISSER.ORG@KTHNOC.NET
Jan 15 06:24:07  Jan 15 16:23:14  afs@BESSERWISSER.ORG
Jan 15 06:24:11  Jan 15 16:23:14  host/bardisk.kthnoc.net@KTHNOC.NET
rasmus:~ mansaxel$ 

> Scenario:  logins with pam_krb5 (linked against heimdal-1.0.1) and an AD
> KDC.  Clients (Firefox and smbclient, frex) linked against MIT 1.6.

Do simpler things like the klist above work? Do the enctypes match; can all
involved use all enctypes? Do you have logs from the kdc? Can you see
whether the client tries to talk to the kdc? 

Questions, questions. Maybe one of them get you thinking... 

Måns Nilsson                     Systems Specialist
+46 70 681 7204   cell                       KTHNOC
+46 8 790 6518  office                  MN1334-RIPE

On the road, ZIPPY is a pinhead without a purpose, but never without a

PGP signature