| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:date:subject:message-id:references | |
| :in-reply-to:content-type:content-transfer-encoding | |
| :mime-version; q=dns; s=default; b=DqWULo45XxWloDlMApFg/xoBzUqEb | |
| vS6uelA3KBqaGjxvsWTQ/0iFAn4XX+uoiOVAypMUMEc/QZHYPtaivbUJhZENli4v | |
| SxHDAufjKtvBULRJ97ATR6EKvBVxoyVcyIP77NBZw0aFjRpd92rZDtdL3n62ISLt | |
| uIOtfXv174+mWg= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:date:subject:message-id:references | |
| :in-reply-to:content-type:content-transfer-encoding | |
| :mime-version; s=default; bh=u0o/mILEsCc7jtN9ZPNTYquc+bI=; b=Fqo | |
| AtWwi78lRsETueUqrNHWEFxkPI8H0pUgncF69Nx2ljLDNe+UVN0rN5j48U5W+yLG | |
| Nf1+h4gQC/6qjFzV9U+Yc5w/WYcMFgOsBAEWptnXaJKWk3abiWOcwn5AJs6dCFZF | |
| rwXq7ilKMXWnceNgNZ5PYJrG2OcBTW1580B5uO6Y= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-Spam-SWARE-Status: | No, score=-0.8 required=5.0 tests=AWL,BAYES_50,KHOP_THREADED,MIME_BASE64_BLANKS,RP_MATCHES_RCVD,TW_KR autolearn=ham version=3.3.1 |
| From: | "Nogin, Aleksey" <anogin AT hrl DOT com> |
| To: | "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com> |
| Date: | Mon, 24 Jun 2013 22:23:21 -0700 |
| Subject: | RE: Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" |
| Message-ID: | <409A0E510096B044A0EE3778BB3F1F5C01379C904239@EXMAIL.hrl.com> |
| References: | <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD AT EXMAIL DOT hrl DOT com> <51C4855C DOT 5050206 AT openafs DOT org> |
| In-Reply-To: | <51C4855C.5050206@openafs.org> |
| MIME-Version: | 1.0 |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id r5P5Nhoc017190 |
Jeffrey Altman wrote:
> > I am running Heimdal's kinit (as came with MobaXterm 6.2) under
> > Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL
> > 5 and 6 boxes set up to use pam_krb to authenticate against the same
> > Windows AD. gssapi-with-mic authentication succeeds, but credential
> > delegation does not, and I see the same "unknown mech-code 2529639054
> > for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is
> > an issue in my environment, where Kerberos-secured NFS is used to
> > provide access to home directories.
> >
> > One thing I did notice is that when I ssh into an RHEL box, afterwards
> > kinit on the client (Cygwin) side shows a ticket for the RHEL host (as
> > expected), yet it shows that the ticket lacks the "forwardable" flag,
> > which would probably explain the failure to delegate credentials. So
> > perhaps this is a problem with the SSH client on the Cygwin end ("ssh -
> > V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than
> > Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain
> > "forwardable = yes" and in contract to how it happens on Cygwin, the
> > Linux->Linux ssh that does delegate credentials correctly also does
> > obtain a forwardable ticket on the client side.
>
> Going back to the original posting.
>
> The Heimdal that is being used is MobaXTerm's kinit.
>
> What Heimdal is it?
"kinit --version" reports "kinit (Heimdal 1.5.2)". That said, things look exactly the same with plain Cygwin (which reports the same version of Heimdal)
[snip]
> The Heimdal distribution matters because it will determine where the
> krb5.conf configuration file is going to be stored. If you aren't sure,
> use "SysInternals Process Monitor" to trace the "kinit.exe" process and
> see what files it accesses.
The configuration is stored in /etc/krb5.conf (behavior changes depending on the contents of that(. I am using the exact same krb5.conf that works correctly on RHEL.
> When "kinit" is executed, is the "-f" parameter provided requesting a
> "forwardable" ticket granting ticket?
No, but I have "forwardable = yes" under "[libdefaults]" in krb5.conf. I can run "klist -vvv" and I see that the flags are as follows:
Server: krbtgt/REALM AT REALM
Client: anogin AT REALM
[...]
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless
Server: host/sshserver AT REALM
Client: anogin AT REALM
[...]
Ticket flags: pre-authent
Addresses: addressless
Again, the above is the same with "plain" Cygwin.
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |