[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mixing heimdal and MIT clients.



On Monday 14 January 2008 22:49:22 Timothy J. Miller wrote:
> Q for the list:
>
> If I'm using heimdal to obtain the TGT, should another client linked
> against MIT be able to read the ccache and fetch a service ticket?  I
> ask because from what I've read I think it should, but for the life
> of me I can't get it to work.
>
> Scenario:  logins with pam_krb5 (linked against heimdal-1.0.1) and an
> AD KDC.  Clients (Firefox and smbclient, frex) linked against MIT 1.6.
>
> I can work around Firefox by setting network.negotiate-auth.gsslib to
> heimdal's libgssapi, after which integrated auth works just fine in
> Firefox.  But fixing smbclient this way would mean forking a
> distribution package, linking against heimdal, and pinning it--*or*
> mucking about with symlinks--neither of which I'd like to do.
>
> I've traced smbclient and I can see it opening the ccache correctly,
> but it fails to note the TGT I have.  The specific error in both the
> Firefox and smbclient is KRB5_NO_TKT_IN_RLM:
>
> (After a pam_krb5 login)
> user@xubuntu:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_10020
>          Principal: user@TEST.DOMAIN.LOCAL
>
>    Issued           Expires          Principal
> Jan 14 14:13:26  Jan 14 20:53:26  krbtgt/
> TEST.DOMAIN.LOCAL@TEST.DOMAIN.LOCAL
>
> user@xubuntu:~$ smbclient -k //testdc.test.domain.local/xfer
> ads_krb5_mk_req: krb5_get_credentials failed for testdc
> $@TEST.DOMAIN.LOCAL (Cannot find ticket for requested realm)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> find ticket for requested realm
> session setup failed: SUCCESS - 0
>
> Clearly I'm wrong about something.  Any help would be appreciated.

Something like this works here (Mandriva 2008.0 x86_64 with only packages in 
the distro) , where I have Heimdal server and "workstation" (kinit, klist), 
but OpenLDAP is linked against MIT. The OpenLDAP server's keytab was 
retrieved with Heimdal ktutil, the user's ticket was retrieved with Heimdal 
kinit (or with pam_krb5 linked against MIT on login), and I can ldap* with 
GSSAPI:

(Ticket from KDE login with pam_krb5 linked with MIT)

[bgmilne@tiger ~]$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: bgmilne@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com
[bgmilne@tiger ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_501_2jCo2G
        Principal: bgmilne@RANGER.DNSALIAS.COM

  Issued           Expires          Principal
Jan 15 13:53:33  Jan 15 20:33:33  
krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM
Jan 15 13:56:05  Jan 15 20:33:33  
ldap/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM


# Kinit with heimdal

[bgmilne@tiger ~]$ kdestroy
[bgmilne@tiger ~]$ kinit
bgmilne@RANGER.DNSALIAS.COM's Password:
[bgmilne@tiger ~]$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: bgmilne@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com

Maybe I'll find time to try your test against and AD setup.

Regards,
Buchan