heimdal and mit incompatability when using GSSAPI

---

• From: Alexander Botero-Lowry <alex@xxxxxxxxxxxxxx>
• Date: Mon, 13 Feb 2006 00:53:41 -0800

---

My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem.

The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.

For example ssh in verbose mode returns:

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: A token was invalid
Unknown error: 0

when I try to connect to oberon. This same connection works fine on another machine with MIT krb5.

Interestingly the tickets are issued even though the authentication fails:

[0:49] alex@Laptop: ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: boterola@xxxxxxxx

Issued Expires Principal
Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@xxxxxxxx
Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@xxxxxxxx


I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).

Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?

Alex
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: heimdal and mit incompatability when using GSSAPI
    • From: Boris Samorodov

• Prev by Date: GELI improvements.
• Next by Date: Upcoming Tripwire Port Upgrade
• Previous by thread: GELI improvements.
• Next by thread: Re: heimdal and mit incompatability when using GSSAPI
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: GSS_ACCEPT_SECURITY_CONTEXT ... The user will login to workstation (Kerberos realm on the linux) ... Check the incoming request's authentication header ... for the http service on the application server, ... got from another GSSAPI, ... (comp.protocols.kerberos) Re: Need some tips on kerberizing our ENTIRE network ... How to do GSSAPI is part of the Jabber protocol, ... > regarding its ldap support, not sure with kerberos) ... I don't *think* there's a qmail-smtpd that supports GSSAPI authentication, ... (comp.protocols.kerberos) Re: Forcing the use of kerberos by ldap clients when connecting to an openldap server ... against LDAP using GSSAPI requires the user to have already signed ... into a kerberos realm and have a token. ... Giving user's passwords in ldap itself works until I organise the ... SASL/GSSAPI authentication started ... (comp.protocols.kerberos) Re: Problem to have mod_auth_kerb to work ... >> is not clear to me: how do you turn off Basic and leave only GSSAPI on? ... The term "KrbMethodK5Passwd" was unclear. ... So the "password based authentication for Kerberos v5" means Basic ... (comp.protocols.kerberos) Re: Kerberos machine authentication - apparent authentication fail ... until a user logon event. ... the Netdiag utility will show the Kerberos error in this scenario ... On these machines I ... me a plausible starting point to solve my Kerberos authentication problem. ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2006-02