[37741] in Kerberos
Kerberos Ticket not renewed anymore after being forwarded.
daemon@ATHENA.MIT.EDU (vm@c4k3.space)
Wed Oct 26 08:21:54 2016
MIME-Version: 1.0
Date: Wed, 26 Oct 2016 14:21:35 +0200
From: vm@c4k3.space
To: kerberos@mit.edu
Message-ID: <72ec96c6d2fa16fda3d1892dd70c2566@c4k3.space>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I hope I'm at the right place here for my issue.
This is the case:
On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket:
---
macbook013:~ vm$ klist -v
Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D
Principal: vm@REALM.COM
Cache version: 0
Server: krbtgt/REALM.COM@REALM.COM
Client: vm@REALM.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 342
Auth time: Oct 26 13:55:09 2016
End time: Nov 25 12:55:05 2016
Renew till: Jan 26 12:55:05 2017
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable,
forwardable
Addresses: addressless
---
If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes)
to a linux-server, the ticket there is not renewable anymore:
---
macbook013:~ vm$ ssh linuxserver2
linuxserver2 ~ # klist -f
Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000
Default principal: vm@REALM.COM
Valid starting Expires Service principal
10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/REALM.COM@REALM.COM
Flags: FfPAT
linuxserver2 ~ # krenew
krenew: error renewing credentials: KDC can't fulfill requested option
linuxserver2 ~ # kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
---
If I do a kinit on linuxserver1 and get a renewable ticket there and ssh
to linuxserver2, the forwarded ticket stays renewable.
I guess it has something to do with the ssh-client on Mac OS X? (but
copying the ssh_config from linuxserver1 to the macbook does not solve
it. Copying the krb5.conf doesn't solve it either)
Or should I search the cause in another direction?
Maybe I'm missing something obvious.
Thank you for thinking with me!
VM
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
