Jeffrey Altman wrote:
> > I am running Heimdal's kinit (as came with MobaXterm 6.2) under
> > Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL
> > 5 and 6 boxes set up to use pam_krb to authenticate against the same
> > Windows AD. gssapi-with-mic authentication succeeds, but credential
> > delegation does not, and I see the same "unknown mech-code 2529639054
> > for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is
> > an issue in my environment, where Kerberos-secured NFS is used to
> > provide access to home directories.
> >
> > One thing I did notice is that when I ssh into an RHEL box, afterwards
> > kinit on the client (Cygwin) side shows a ticket for the RHEL host (as
> > expected), yet it shows that the ticket lacks the "forwardable" flag,
> > which would probably explain the failure to delegate credentials. So
> > perhaps this is a problem with the SSH client on the Cygwin end ("ssh -
> > V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than
> > Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain
> > "forwardable = yes" and in contract to how it happens on Cygwin, the
> > Linux->Linux ssh that does delegate credentials correctly also does
> > obtain a forwardable ticket on the client side.
>
> Going back to the original posting.
>
> The Heimdal that is being used is MobaXTerm's kinit.
>
> What Heimdal is it?
"kinit --version" reports "kinit (Heimdal 1.5.2)". That said, things look
exactly the same with plain Cygwin (which reports the same version of Heimdal)
[snip]
> The Heimdal distribution matters because it will determine where the
> krb5.conf configuration file is going to be stored. If you aren't sure,
> use "SysInternals Process Monitor" to trace the "kinit.exe" process and
> see what files it accesses.
The configuration is stored in /etc/krb5.conf (behavior changes depending on
the contents of that(. I am using the exact same krb5.conf that works correctly
on RHEL.
> When "kinit" is executed, is the "-f" parameter provided requesting a
> "forwardable" ticket granting ticket?
No, but I have "forwardable = yes" under "[libdefaults]" in krb5.conf. I can
run "klist -vvv" and I see that the flags are as follows:
Server: krbtgt/REALM@REALM
Client: anogin@REALM
[...]
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless
Server: host/sshserver@REALM
Client: anogin@REALM
[...]
Ticket flags: pre-authent
Addresses: addressless
Again, the above is the same with "plain" Cygwin.
