Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Feb 2006 21:22:50 +0300
From:      Boris Samorodov <bsam@ipt.ru>
To:        Alexander Botero-Lowry <alex@foxybanana.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: heimdal and mit incompatability when using GSSAPI
Message-ID:  <61710261@srv.sem.ipt.ru>
In-Reply-To: <20060213085341.GA6545@atlantis.foxybanana.com> (Alexander Botero-Lowry's message of "Mon, 13 Feb 2006 00:53:41 -0800")
References:  <20060213085341.GA6545@atlantis.foxybanana.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote:

> My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. 

> The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.

Which version of FreeBSD and Heimdal are you using?

> For example ssh in verbose mode returns:

> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1:  A token was invalid
> Unknown error: 0

man krb.conf may give some clue to heimdal kerberos to be more
MIT-compatible.

> when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. 

> Interestingly the tickets are issued even though the authentication fails:

> [0:49] alex@Laptop: ~> klist
> Credentials cache: FILE:/tmp/krb5cc_1001
>         Principal: boterola@REED.EDU

>   Issued           Expires          Principal                  
> Feb 13 00:22:56  Feb 13 07:02:46  krbtgt/REED.EDU@REED.EDU     
> Feb 13 00:38:54  Feb 13 07:02:46  host/oberon.reed.edu@REED.EDU

How and when did you get krbtgt? Did you use kinit? (man kinit may
help a little)

> I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).

Under Linux OS? I didn't find any linux-thunderbird at the ports tree.

> Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?

Well, imo before using GSSAPI you may ensure that kerberos itself is
working (ie what i've written above).


WBR
-- 
Boris B. Samorodov, Research Engineer
InPharmTech Co,     http://www.ipt.ru
Telephone & Internet Service Provider

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61710261>