Date: Mon, 13 Feb 2006 00:53:41 -0800 From: Alexander Botero-Lowry <alex@foxybanana.com> To: freebsd-security@freebsd.org Subject: heimdal and mit incompatability when using GSSAPI Message-ID: <20060213085341.GA6545@atlantis.foxybanana.com>
next in thread | raw e-mail | index | archive | help
My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem.
The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.
For example ssh in verbose mode returns:
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: A token was invalid
Unknown error: 0
when I try to connect to oberon. This same connection works fine on another machine with MIT krb5.
Interestingly the tickets are issued even though the authentication fails:
[0:49] alex@Laptop: ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: boterola@REED.EDU
Issued Expires Principal
Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU
Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU
I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).
Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?
Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060213085341.GA6545>