Mail Archives: cygwin/2013/06/14/17:39:33

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2013/06/14/17:39:33

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:date:subject:message-id:content-type

:content-transfer-encoding:mime-version; q=dns; s=default; b=PFO

2iWDgf78qQwKV6HUDN4B4UnoHmP3NUpROVqBa588MUuKthEnusNNNYgb9C2BsOKZ

2iLBjEH4uNVTPvi0yY5IKfmYfPTfsPWda+LAxaERmORXitNy35TtRZvhK0SH6PQe

Pu7tDE6g7ZgarpLFANy9RjXQX0ICSL2Wxxm5rNRA=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:date:subject:message-id:content-type

:content-transfer-encoding:mime-version; s=default; bh=U92B1Bwwx

qZMzdsvjI32xXbSVFA=; b=bKYJtp9gTHRjrx470SdkpzPg+dg5BVQkf2meoiMxG

FFIGwHQBYm8iGz5L70FZ7EFd5tsqfyMHwnKowJTUE/yILMm01EYBeyRlM4MxKObC

tVMG4II7V5Lk2jLUh2kSW2K48SWG1RMdcKdI1kPZihTIrLc7+zwZkNwY/3n+oC90

Qk=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

X-Spam-SWARE-Status: No, score=0.2 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,TW_KR autolearn=ham version=3.3.1

From: "Nogin, Aleksey" <anogin AT hrl DOT com>

To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>

Date: Fri, 14 Jun 2013 14:39:15 -0700

Subject: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"

Message-ID: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD@EXMAIL.hrl.com>

MIME-Version: 1.0

X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id r5ELdUar002492

I am experiencing the same error that Corinna Vinschen have reported on cygwin-apps mailing list about a year ago without any obvious resolution(*), and I was wondering whether somebody was able to resolve it since.

I am running Heimdal's kinit (as came with MobaXterm 6.2) under Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL 5 and 6 boxes set up to use pam_krb to authenticate against the same Windows AD.  gssapi-with-mic authentication succeeds, but credential delegation does not, and I see the same "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is an issue in my environment, where Kerberos-secured NFS is used to provide access to home directories.

One thing I did notice is that when I ssh into an RHEL box, afterwards kinit on the client (Cygwin) side shows a ticket for the RHEL host (as expected), yet it shows that the ticket lacks the "forwardable" flag, which would probably explain the failure to delegate credentials. So perhaps this is a problem with the SSH client on the Cygwin end ("ssh -V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain "forwardable = yes" and in contract to how it happens on Cygwin, the Linux->Linux ssh that does delegate credentials correctly also does obtain a forwardable ticket on the client side.

TIA for any help.

Aleksey

(*) The last message of the thread at http://cygwin.com/ml/cygwin-apps/2012-03/msg00156.html ends with "Oh well, I guess I just give up.  You proved that it works and I'm trying a pretty unlikely combination." I guess I am trying an unlikely combination too :-(

(**) Here is the full output (RHEL 5 version; RHEL 6 is virtually the same, with OpenSSH_5.3 on the other end).
% ssh -v XXXhostXXX
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/mobaxterm/.ssh/config
debug1: /home/mobaxterm/.ssh/config line 24: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to XXXhostXXX [IP.IP.IP.IP] port 22.
debug1: Connection established.
debug1: identity file /home/mobaxterm/.ssh/id_rsa type 1
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: identity file /home/mobaxterm/.ssh/id_dsa type -1
debug1: identity file /home/mobaxterm/.ssh/id_dsa-cert type -1
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa type -1
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib AT openssh DOT com
debug1: kex: client->server aes128-ctr hmac-md5 zlib AT openssh DOT com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA XX:XX:XX:...
debug1: Host 'XXXhostXXX' is known and matches the RSA host key.
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:16
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1:  Miscellaneous failure (see text)
unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10

debug1: Delegating credentials
debug1: Delegating credentials
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to XXXhostXXX ([IP.IP.IP.IP]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: No xauth program.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:date:subject:message-id:content-type
	:content-transfer-encoding:mime-version; q=dns; s=default; b=PFO
	2iWDgf78qQwKV6HUDN4B4UnoHmP3NUpROVqBa588MUuKthEnusNNNYgb9C2BsOKZ
	2iLBjEH4uNVTPvi0yY5IKfmYfPTfsPWda+LAxaERmORXitNy35TtRZvhK0SH6PQe
	Pu7tDE6g7ZgarpLFANy9RjXQX0ICSL2Wxxm5rNRA=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:date:subject:message-id:content-type
	:content-transfer-encoding:mime-version; s=default; bh=U92B1Bwwx
	qZMzdsvjI32xXbSVFA=; b=bKYJtp9gTHRjrx470SdkpzPg+dg5BVQkf2meoiMxG
	FFIGwHQBYm8iGz5L70FZ7EFd5tsqfyMHwnKowJTUE/yILMm01EYBeyRlM4MxKObC
	tVMG4II7V5Lk2jLUh2kSW2K48SWG1RMdcKdI1kPZihTIrLc7+zwZkNwY/3n+oC90
	Qk=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status:	No, score=0.2 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,TW_KR autolearn=ham version=3.3.1
From:	"Nogin, Aleksey" <anogin AT hrl DOT com>
To:	"cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Date:	Fri, 14 Jun 2013 14:39:15 -0700
Subject:	Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
Message-ID:	<409A0E510096B044A0EE3778BB3F1F5C01379C903ECD@EXMAIL.hrl.com>
MIME-Version:	1.0
X-MIME-Autoconverted:	from quoted-printable to 8bit by delorie.com id r5ELdUar002492