heimdal and mit incompatability when using GSSAPI
Boris Samorodov
bsam at ipt.ru
Thu Feb 16 10:24:36 PST 2006
On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote:
> My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem.
> The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.
Which version of FreeBSD and Heimdal are you using?
> For example ssh in verbose mode returns:
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: A token was invalid
> Unknown error: 0
man krb.conf may give some clue to heimdal kerberos to be more
MIT-compatible.
> when I try to connect to oberon. This same connection works fine on another machine with MIT krb5.
> Interestingly the tickets are issued even though the authentication fails:
> [0:49] alex at Laptop: ~> klist
> Credentials cache: FILE:/tmp/krb5cc_1001
> Principal: boterola at REED.EDU
> Issued Expires Principal
> Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU at REED.EDU
> Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu at REED.EDU
How and when did you get krbtgt? Did you use kinit? (man kinit may
help a little)
> I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).
Under Linux OS? I didn't find any linux-thunderbird at the ports tree.
> Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?
Well, imo before using GSSAPI you may ensure that kerberos itself is
working (ie what i've written above).
WBR
--
Boris B. Samorodov, Research Engineer
InPharmTech Co, http://www.ipt.ru
Telephone & Internet Service Provider
More information about the freebsd-security
mailing list