[Bug 204899] security/py-kerberos: authGSSClientStep raises GSSError UNKNOWN_SERVER
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Nov 29 20:35:13 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204899
Bug ID: 204899
Summary: security/py-kerberos: authGSSClientStep raises
GSSError UNKNOWN_SERVER
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: dvl at FreeBSD.org
Reporter: john at saltant.com
Flags: maintainer-feedback?(dvl at FreeBSD.org)
Assignee: dvl at FreeBSD.org
Summary:
========
When security/py-kerberos 1.1.1 is built with either GSSAPI_BASE or
GSSAPI_HEIMDAL, the first invocation of authGSSClientStep raises
kerberos.GSSError after failing to acquire a ticket for the krbtgt service on
the intended host rather than the specified service.
Expected result:
================
authGSSClientStep should request a service ticket for the specified service and
return successfully.
Test environment:
=================
I have three hosts (hostB, hostH, and hostM)---running security/py-kerberos
built with GSSAPI_BASE, GSSAPI_HEIMDAL, and GSSAPI_MIT respectively---in the
Kerberos realm EXAMPLE.COM, which is running an MIT Kerberos KDC on a third
host. For each of the three hosts, I have created service principals for the
'example' service, and performed a kinit to obtain a TGT for my own user
principal. Attached are three files showing the (sanitized) output of
uname -a
pkg info -xAf kerb heim krb5
ktutil -k example.keytab l
klist
on each of the three test hosts.
Test results:
=============
To demonstrate the failure, I use the test.py script from the upstream,
PyKerberos-1.1.1 distribution. The invocation and output of the test script is
also attached for each of the three test hosts.
I observed the following log lines on the KDC during the failing test cases.
UNKNOWN_SERVER: authtime 0, john at EXAMPLE.COM for
krbtgt/hostB.example.com at EXAMPLE.COM, Server not found in Kerberos database
UNKNOWN_SERVER: authtime 0, john at EXAMPLE.COM for
krbtgt/hostH.example.com at EXAMPLE.COM, Server not found in Kerberos database
I observed the following log line on the KDC during the successful test case.
ISSUE: authtime 1448823471, etypes {rep=18 tkt=18 ses=18}, john at EXAMPLE.COM
for example/hostM.example.com at EXAMPLE.COM
Thereafter, on hostM, the output of kinit shows that the credential cache has a
ticket for example/hostM.example.com at EXAMPLE.COM.
Fix/Workaround:
===============
Unknown.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list