[32438] in Kerberos
Re: GSSAPIDelegateCredentials only works for REQUIRES_PRE_AUTH
daemon@ATHENA.MIT.EDU (Adam Megacz)
Tue Jun 8 16:43:30 2010
To: kerberos@mit.edu
From: Adam Megacz <megacz@cs.berkeley.edu>
Date: Tue, 08 Jun 2010 18:03:10 +0000
Message-ID: <xuu2iq5tv1up.fsf@gentzen.megacz.com>
Mime-Version: 1.0
X-Complaints-To: usenet@dough.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <rra@stanford.edu> writes:
> Check the host/* principal on the system to which you were authenticating.
> I bet that the REQUIRES_PRE_AUTH flag was set for it, which means that
> only tickets that are pre-authenticated can authenticate to that service
> principal.
Indeed, that was it! Russ saves the day again.
Curious: I assume that the failure mode here is some variation on the
sshd machine asking the KDC for a delegation and the KDC refusing. Does
the refusal include enough information to produce an error message
(either in the sshd log or elsewhere) mentioning this as the reason for
the failure?
In general I find that sshd really does a very poor job explaining the
reason why things went wrong when it comes to Kerberos/GSSAPI. I've got
some free cycles this summer that I can put towards fixing that if it's
something that can be fixed.
- a
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
