Re: heimdal and mit incompatability when using GSSAPI



On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote:

My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem.

The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.

Which version of FreeBSD and Heimdal are you using?

For example ssh in verbose mode returns:

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: A token was invalid
Unknown error: 0

man krb.conf may give some clue to heimdal kerberos to be more
MIT-compatible.

when I try to connect to oberon. This same connection works fine on another machine with MIT krb5.

Interestingly the tickets are issued even though the authentication fails:

[0:49] alex@Laptop: ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: boterola@xxxxxxxx

Issued Expires Principal
Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@xxxxxxxx
Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@xxxxxxxx

How and when did you get krbtgt? Did you use kinit? (man kinit may
help a little)

I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).

Under Linux OS? I didn't find any linux-thunderbird at the ports tree.

Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?

Well, imo before using GSSAPI you may ensure that kerberos itself is
working (ie what i've written above).


WBR
--
Boris B. Samorodov, Research Engineer
InPharmTech Co, http://www.ipt.ru
Telephone & Internet Service Provider
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"