[37747] in Kerberos
Re: Kerberos Ticket not renewed anymore after being forwarded.
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Oct 27 09:13:55 2016
Message-ID: <1477574018.4312.13.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: vm@c4k3.space
Date: Thu, 27 Oct 2016 09:13:38 -0400
In-Reply-To: <774e41743d3f9f67bccddcea3b1c220a@c4k3.space>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
kadmin is not involved with ticket renewal or delegation.
more likely MacOSX GSSAPI implementation requests a forwardable TGT that
is not renewable and then forwards that one to the remote server.
It is not a bad idea to limit forwarded tickets that way.
Simo.
On Thu, 2016-10-27 at 13:37 +0200, vm@c4k3.space wrote:
> So far my attempt to ask it to the community :-)
> But I think I finally managed to find the explanation.
> So in case someone else ever has the same problem, searches why and
> stumbles onto this page...
>
> The kadmin-protocol that differs between the heimdal-implementation used
> in Mac OS and the MIT-implementation on linux seems to be the culprit.
>
> http://kerberos.996246.n3.nabble.com/Lion-problems-tc13877.html
>
> |
> | Mar 12, 2012; 9:52pm Arthur Prokosch-2 Arthur Prokosch-2
> | ...
> | We've wandered into Heimdal territory here and should probably switch
> | to [hidden email] or discussions.apple.com. In the meantime:
> | if anyone else has seen Mac OS 10.7 Heimdal tickets lose their
> | Forwardable and Proxiable flags in the process of initiating GSSAPI
> | ssh connections or has an explanation, I'd be quite interested to hear
> | off-list.
> |
> | best,
> | -arthur prokosch
> | system administrator
> | [1]MIT Computer Science and Artificial Intelligence Lab.
> | ...
>
>
> In the meantime I also tested it on MacOS Sierra. Problem is still
> there.
>
> I don't know if there is any solution though.
>
> P.S. Anybody who confirms my hypothesis?
>
>
>
> vm@c4k3.space schreef op 2016-10-26 14:21:
> > Hi,
> >
> > I hope I'm at the right place here for my issue.
> >
> > This is the case:
> >
> >
> > On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket:
> >
> > ---
> > macbook013:~ vm$ klist -v
> > Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D
> > Principal: vm@REALM.COM
> > Cache version: 0
> >
> > Server: krbtgt/REALM.COM@REALM.COM
> > Client: vm@REALM.COM
> > Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> > Ticket length: 342
> > Auth time: Oct 26 13:55:09 2016
> > End time: Nov 25 12:55:05 2016
> > Renew till: Jan 26 12:55:05 2017
> > Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable,
> > forwardable
> > Addresses: addressless
> > ---
> >
> > If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes)
> > to a linux-server, the ticket there is not renewable anymore:
> >
> > ---
> > macbook013:~ vm$ ssh linuxserver2
> > linuxserver2 ~ # klist -f
> > Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000
> > Default principal: vm@REALM.COM
> >
> > Valid starting Expires Service principal
> > 10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/REALM.COM@REALM.COM
> > Flags: FfPAT
> > linuxserver2 ~ # krenew
> > krenew: error renewing credentials: KDC can't fulfill requested
> > option
> > linuxserver2 ~ # kinit -R
> > kinit: KDC can't fulfill requested option while renewing credentials
> > ---
> >
> > If I do a kinit on linuxserver1 and get a renewable ticket there and
> > ssh
> > to linuxserver2, the forwarded ticket stays renewable.
> >
> > I guess it has something to do with the ssh-client on Mac OS X? (but
> > copying the ssh_config from linuxserver1 to the macbook does not solve
> > it. Copying the krb5.conf doesn't solve it either)
> > Or should I search the cause in another direction?
> > Maybe I'm missing something obvious.
> >
> >
> > Thank you for thinking with me!
> >
> > VM
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
