Weird cross-realm behaviour after upgrade to Heimdal 7.3

Andreas Haupt andreas.haupt at desy.de
Tue Jul 4 09:05:41 CEST 2017


Dear all,

we face a weird cross-realm-related issue after the upgrade to Heimdal 7.3
KDCs. The KDC replies with a wrong answer in case the cross-realm key does
not exist. This happens with a Heimdal 1.2.1 KDC:

[wgs03] ~ % ssh -v -o GSSAPIAuthentication=yes lxplus.cern.ch
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

... and on the KDC side:

Jul  4 08:26:17 kdc-1.2 kdc[13062]: TGS-REQ <myaccount>@MYREALM from IPv4:<MY-IP> for krbtgt/CERN.CH at MYREALM [renewable, forwardable]
Jul  4 08:26:17 kdc-1.2 kdc[13062]: Server not found in database: krbtgt/CERN.CH at MYREALM: No such entry in the database
Jul  4 08:26:17 kdc-1.2 kdc[13062]: Failed building TGS-REP to IPv4:<MY-IP>

That's the correct behaviour. Now with a Heimdal 7.3 KDC:

[wgs03] ~ % ssh -v -o GSSAPIAuthentication=yes lxplus.cern.ch
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot contact any KDC for realm 'MYREALM'

... and on the KDC side:

Jul  4 08:33:46 kdc-7.3 kdc[12045]: TGS-REQ <myaccount>@MYREALM from IPv4:<MY-IP> for krbtgt/CERN.CH at MYREALM [renewable, forwardable]
Jul  4 08:33:46 kdc-7.3 kdc[12045]: Server not found in database: krbtgt/CERN.CH at MYREALM: Success


This answer seems to make the client think the KDC is somehow malfunctioning
and repeats the request with any KDC combination (all KDCs it finds in
/etc/krb5.conf on ports 88 and 750 here). Of course, it causes long timeouts
before the ssh client gives up and asks for a password.

Any idea to restore the old "Heimdal-1.2-style" behaviour? Is this
considered a bug or misconfiguration?

Thanks,
Andreas
-- 
| Andreas Haupt            | E-Mail: andreas.haupt at desy.de
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4873 bytes
Desc: not available
URL: <http://www.h5l.org/pipermail/heimdal-discuss/attachments/20170704/87434338/attachment.bin>


More information about the Heimdal-discuss mailing list