[Bug 204899] security/py-kerberos: authGSSClientStep raises GSSError UNKNOWN_SERVER

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Nov 29 20:35:13 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204899

            Bug ID: 204899
           Summary: security/py-kerberos: authGSSClientStep raises
                    GSSError UNKNOWN_SERVER
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: dvl at FreeBSD.org
          Reporter: john at saltant.com
             Flags: maintainer-feedback?(dvl at FreeBSD.org)
          Assignee: dvl at FreeBSD.org

Summary:
========

When security/py-kerberos 1.1.1 is built with either GSSAPI_BASE or
GSSAPI_HEIMDAL, the first invocation of authGSSClientStep raises
kerberos.GSSError after failing to acquire a ticket for the krbtgt service on
the intended host rather than the specified service.


Expected result:
================

authGSSClientStep should request a service ticket for the specified service and
return successfully.


Test environment:
=================

I have three hosts (hostB, hostH, and hostM)---running security/py-kerberos
built with GSSAPI_BASE, GSSAPI_HEIMDAL, and GSSAPI_MIT respectively---in the
Kerberos realm EXAMPLE.COM, which is running an MIT Kerberos KDC on a third
host. For each of the three hosts, I have created service principals for the
'example' service, and performed a kinit to obtain a TGT for my own user
principal. Attached are three files showing the (sanitized) output of

    uname -a
    pkg info -xAf kerb heim krb5
    ktutil -k example.keytab l
    klist

on each of the three test hosts.


Test results:
=============

To demonstrate the failure, I use the test.py script from the upstream,
PyKerberos-1.1.1 distribution. The invocation and output of the test script is
also attached for each of the three test hosts.

I observed the following log lines on the KDC during the failing test cases.

    UNKNOWN_SERVER: authtime 0,  john at EXAMPLE.COM for
krbtgt/hostB.example.com at EXAMPLE.COM, Server not found in Kerberos database

    UNKNOWN_SERVER: authtime 0,  john at EXAMPLE.COM for
krbtgt/hostH.example.com at EXAMPLE.COM, Server not found in Kerberos database

I observed the following log line on the KDC during the successful test case.

    ISSUE: authtime 1448823471, etypes {rep=18 tkt=18 ses=18}, john at EXAMPLE.COM
for example/hostM.example.com at EXAMPLE.COM

Thereafter, on hostM, the output of kinit shows that the credential cache has a
ticket for example/hostM.example.com at EXAMPLE.COM.


Fix/Workaround:
===============

Unknown.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list