Mail Archives: cygwin/2013/06/21/12:55:23

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2013/06/21/12:55:23

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:mime-version:to:subject

:references:in-reply-to:content-type:content-transfer-encoding;

q=dns; s=default; b=ELrmhY8GE6jd9bxCtjm2wuIitO+F21PMSIr4y3oiGDF

KIhZp28S69MJuIQyixS7uWkJucM4nQN6891sesFCZPNTwh0aXagRSGy82/8HGIFU

oxNVnAnuTsCiBm7CPxb3dZdrObotb6O1F1u3U6Ghf0sv2yhR6E2cmxK4767wlWZE

=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:mime-version:to:subject

:references:in-reply-to:content-type:content-transfer-encoding;

s=default; bh=F0r3cmYGve37LRgZeCDM1KQbK28=; b=II+FXm4SmxzuVZwdI

yupxKTwclC1DSWIH/Wcb8FDzrb1YVVww1OoZl4uexY97Pw3vm8hh8ac5zfWAkaSu

19VN69jqyKCNtU8/o/vneztO1AjUs+oFDDyGC2TnVVFpJpw6D5ofh55BDD4mVPnY

s891EgIO5wxQRf7W7cq5+oals8=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,KHOP_THREADED,TW_KR autolearn=ham version=3.3.1

X-MDAV-Result: clean

X-MDAV-Processed: mail.secure-endpoints.com, Fri, 21 Jun 2013 12:55:02 -0400

X-Spam-Processed: mail.secure-endpoints.com, Fri, 21 Jun 2013 12:55:00 -0400 (not processed: message from trusted or authenticated source)

X-Return-Path: jaltman AT openafs DOT org

X-Envelope-From: jaltman AT openafs DOT org

X-MDaemon-Deliver-To: cygwin AT cygwin DOT com

Message-ID: <51C4855C.5050206@openafs.org>

Date: Fri, 21 Jun 2013 12:54:52 -0400

From: Jeffrey Altman <jaltman AT openafs DOT org>

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"

References: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD AT EXMAIL DOT hrl DOT com>

In-Reply-To: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD@EXMAIL.hrl.com>

On 6/14/2013 5:39 PM, Nogin, Aleksey wrote:
> I am experiencing the same error that Corinna Vinschen have reported on cygwin-apps mailing list about a year ago without any obvious resolution(*), and I was wondering whether somebody was able to resolve it since.
> 
> I am running Heimdal's kinit (as came with MobaXterm 6.2) under Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL 5 and 6 boxes set up to use pam_krb to authenticate against the same Windows AD.  gssapi-with-mic authentication succeeds, but credential delegation does not, and I see the same "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is an issue in my environment, where Kerberos-secured NFS is used to provide access to home directories.
> 
> One thing I did notice is that when I ssh into an RHEL box, afterwards kinit on the client (Cygwin) side shows a ticket for the RHEL host (as expected), yet it shows that the ticket lacks the "forwardable" flag, which would probably explain the failure to delegate credentials. So perhaps this is a problem with the SSH client on the Cygwin end ("ssh -V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain "forwardable = yes" and in contract to how it happens on Cygwin, the Linux->Linux ssh that does delegate credentials correctly also does obtain a forwardable ticket on the client side.
> 
> TIA for any help.

Going back to the original posting.

The Heimdal that is being used is MobaXTerm's kinit.

What Heimdal is it?

Is it a native Windows build?

The Secure Endpoints distribution which Microsoft LSA support and MIT
credential cache support?

Or the Heimdal that is packaged for Cygwin?

The Heimdal distribution matters because it will determine where the
krb5.conf configuration file is going to be stored.  If you aren't sure,
use "SysInternals Process Monitor" to trace the "kinit.exe" process and
see what files it accesses.

When "kinit" is executed, is the "-f" parameter provided requesting a
"forwardable" ticket granting ticket?

If the ticket granting ticket (TGT) is not forwardable, then none of the
derived tickets will be.  When delegating credentials it is the TGT that
is forwarded to the remote host, not the host/<hostname>@<REALM> service
ticket which is used solely for authentication.

Jeffrey Altman

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	q=dns; s=default; b=ELrmhY8GE6jd9bxCtjm2wuIitO+F21PMSIr4y3oiGDF
	KIhZp28S69MJuIQyixS7uWkJucM4nQN6891sesFCZPNTwh0aXagRSGy82/8HGIFU
	oxNVnAnuTsCiBm7CPxb3dZdrObotb6O1F1u3U6Ghf0sv2yhR6E2cmxK4767wlWZE
	=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	s=default; bh=F0r3cmYGve37LRgZeCDM1KQbK28=; b=II+FXm4SmxzuVZwdI
	yupxKTwclC1DSWIH/Wcb8FDzrb1YVVww1OoZl4uexY97Pw3vm8hh8ac5zfWAkaSu
	19VN69jqyKCNtU8/o/vneztO1AjUs+oFDDyGC2TnVVFpJpw6D5ofh55BDD4mVPnY
	s891EgIO5wxQRf7W7cq5+oals8=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status:	No, score=-2.6 required=5.0 tests=AWL,BAYES_00,KHOP_THREADED,TW_KR autolearn=ham version=3.3.1
X-MDAV-Result:	clean
X-MDAV-Processed:	mail.secure-endpoints.com, Fri, 21 Jun 2013 12:55:02 -0400
X-Spam-Processed:	mail.secure-endpoints.com, Fri, 21 Jun 2013 12:55:00 -0400 (not processed: message from trusted or authenticated source)
X-Return-Path:	jaltman AT openafs DOT org
X-Envelope-From:	jaltman AT openafs DOT org
X-MDaemon-Deliver-To:	cygwin AT cygwin DOT com
Message-ID:	<51C4855C.5050206@openafs.org>
Date:	Fri, 21 Jun 2013 12:54:52 -0400
From:	Jeffrey Altman <jaltman AT openafs DOT org>
User-Agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
References:	<409A0E510096B044A0EE3778BB3F1F5C01379C903ECD AT EXMAIL DOT hrl DOT com>
In-Reply-To:	<409A0E510096B044A0EE3778BB3F1F5C01379C903ECD@EXMAIL.hrl.com>