DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=ELrmhY8GE6jd9bxCtjm2wuIitO+F21PMSIr4y3oiGDF
	KIhZp28S69MJuIQyixS7uWkJucM4nQN6891sesFCZPNTwh0aXagRSGy82/8HGIFU
	oxNVnAnuTsCiBm7CPxb3dZdrObotb6O1F1u3U6Ghf0sv2yhR6E2cmxK4767wlWZE
	=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Message-ID: <51C4855C.5050206@openafs.org>
Date: Fri, 21 Jun 2013 12:54:52 -0400
From: Jeffrey Altman <jaltman AT openafs DOT org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
References: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD AT EXMAIL DOT hrl DOT com>
In-Reply-To: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD@EXMAIL.hrl.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 6/14/2013 5:39 PM, Nogin, Aleksey wrote:
> I am experiencing the same error that Corinna Vinschen have reported on cygwin-apps mailing list about a year ago without any obvious resolution(*), and I was wondering whether somebody was able to resolve it since.
> 
> I am running Heimdal's kinit (as came with MobaXterm 6.2) under Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL 5 and 6 boxes set up to use pam_krb to authenticate against the same Windows AD.  gssapi-with-mic authentication succeeds, but credential delegation does not, and I see the same "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is an issue in my environment, where Kerberos-secured NFS is used to provide access to home directories.
> 
> One thing I did notice is that when I ssh into an RHEL box, afterwards kinit on the client (Cygwin) side shows a ticket for the RHEL host (as expected), yet it shows that the ticket lacks the "forwardable" flag, which would probably explain the failure to delegate credentials. So perhaps this is a problem with the SSH client on the Cygwin end ("ssh -V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain "forwardable = yes" and in contract to how it happens on Cygwin, the Linux->Linux ssh that does delegate credentials correctly also does obtain a forwardable ticket on the client side.
> 
> TIA for any help.

Going back to the original posting.

The Heimdal that is being used is MobaXTerm's kinit.

What Heimdal is it?

Is it a native Windows build?

The Secure Endpoints distribution which Microsoft LSA support and MIT
credential cache support?

Or the Heimdal that is packaged for Cygwin?

The Heimdal distribution matters because it will determine where the
krb5.conf configuration file is going to be stored.  If you aren't sure,
use "SysInternals Process Monitor" to trace the "kinit.exe" process and
see what files it accesses.

When "kinit" is executed, is the "-f" parameter provided requesting a
"forwardable" ticket granting ticket?

If the ticket granting ticket (TGT) is not forwardable, then none of the
derived tickets will be.  When delegating credentials it is the TGT that
is forwarded to the remote host, not the host/<hostname>@<REALM> service
ticket which is used solely for authentication.

Jeffrey Altman


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple