[32923] in Kerberos
GSSAPI Issue
daemon@ATHENA.MIT.EDU (Bram Cymet)
Wed Nov 24 12:11:18 2010
Message-ID: <4CED470E.9050005@cbnco.com>
Date: Wed, 24 Nov 2010 12:10:38 -0500
From: Bram Cymet <bcymet@cbnco.com>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I am having this weird problem using GSSAPI deligation with SSH.
I am using pam_krb5 on the server side aswell.
If I just ssh with no tickets on my local machine it will ask me for a
password and I can then run a klist on the server and see:
ssh bcymet@LS.CBN@mgaauth1.ni.ls.cbn
Password:
Last login: Wed Nov 24 11:00:06 2010 from 172.20.250.139
bcymet@LS.CBN@mgaauth1:~> klist
Ticket cache: FILE:/tmp/krb5cc_5002_v11419
Default principal: bcymet@LS.CBN
Valid starting Expires Service principal
11/24/10 11:05:43 11/24/10 21:05:43 krbtgt/LS.CBN@LS.CBN
renew until 11/25/10 11:05:41
however if I kinit first:
bcymet@linux-s6k6:/etc> kinit bcymet@LS.CBN
bcymet@linux-s6k6:/etc> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bcymet@LS.CBN
Valid starting Expires Service principal
11/24/10 12:06:56 11/24/10 22:06:56 krbtgt/LS.CBN@LS.CBN
renew until 11/25/10 12:06:47
bcymet@linux-s6k6:/etc> ssh bcymet@LS.CBN@mgaauth1.ni.ls.cbn
Last login: Wed Nov 24 11:05:43 2010 from 172.20.250.139
bcymet@LS.CBN@mgaauth1:~> klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_5002)
So it allows me to ssh without a password (as I want) but then when I
try to klist on the server I don't seem to have a credentials cache and
I am fairly sure I should have one.
After leaving the server my credentials cache looks as expected:
bcymet@LS.CBN@mgaauth1:~> exit
logout
Connection to mgaauth1.ni.ls.cbn closed.
bcymet@linux-s6k6:/etc> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bcymet@LS.CBN
Valid starting Expires Service principal
11/24/10 12:06:56 11/24/10 22:06:56 krbtgt/LS.CBN@LS.CBN
renew until 11/25/10 12:06:47
11/24/10 12:07:32 11/24/10 22:06:56 krbtgt/NI.LS.CBN@LS.CBN
renew until 11/25/10 12:06:47
11/24/10 12:07:37 11/24/10 22:06:56 host/mgaauth1.ni.ls.cbn@NI.LS.CBN
renew until 11/25/10 12:06:47
This is a cross realm setup.
Any ideas what could be going on?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
