Date: Thu, 16 Feb 2006 21:22:50 +0300 From: Boris Samorodov <bsam@ipt.ru> To: Alexander Botero-Lowry <alex@foxybanana.com> Cc: freebsd-security@freebsd.org Subject: Re: heimdal and mit incompatability when using GSSAPI Message-ID: <61710261@srv.sem.ipt.ru> In-Reply-To: <20060213085341.GA6545@atlantis.foxybanana.com> (Alexander Botero-Lowry's message of "Mon, 13 Feb 2006 00:53:41 -0800") References: <20060213085341.GA6545@atlantis.foxybanana.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote: > My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. > The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi. Which version of FreeBSD and Heimdal are you using? > For example ssh in verbose mode returns: > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: A token was invalid > Unknown error: 0 man krb.conf may give some clue to heimdal kerberos to be more MIT-compatible. > when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. > Interestingly the tickets are issued even though the authentication fails: > [0:49] alex@Laptop: ~> klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: boterola@REED.EDU > Issued Expires Principal > Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU > Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU How and when did you get krbtgt? Did you use kinit? (man kinit may help a little) > I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries). Under Linux OS? I didn't find any linux-thunderbird at the ports tree. > Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers? Well, imo before using GSSAPI you may ensure that kerberos itself is working (ie what i've written above). WBR -- Boris B. Samorodov, Research Engineer InPharmTech Co, http://www.ipt.ru Telephone & Internet Service Provider
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61710261>