On Tue 2007-08-28 15:31:44 -0400, Sam Hartman wrote: > Can I get you to remove the domain_realm mapping, use the etch > libraries, and set forwardable = false in /etc/krb5.conf. > > Then run kinit to get non-forwardable tickets and try curl.
ok, i just did. i used an etch system and tested with both lenny and
etch versions of the krb5 libraries.
Initially, the ticket that i had already had the forwardable flag,
though, so i kdestroy'ed it, and fetched a new non-forwardable ticket.
This makes 4 tests, total (etch/lenny libs, non/forwardable tickets).
That is, krb5.conf was the same under both tests, but one of the tests
was with an older ticket that was forwardable.
> Do you see additional kdc transactions?
none of the 4 tests showed any attempts to contact either the primary
KDC or the secondary.
> Does it work?
With the etch libraries, i can successfully authenticate (initial HTTP
401 response, follwed by successful 200). with the lenny libs, curl
refuses to Negotiate (terminates after 401 response):
0 [EMAIL PROTECTED]:~/src/curl/9$ grep HTTP/ */*/headers.txt
forwardable/etchlibs/headers.txt:HTTP/1.1 401 Authorization Required
forwardable/etchlibs/headers.txt:HTTP/1.1 200 OK
forwardable/lennylibs/headers.txt:HTTP/1.1 401 Authorization Required
nonforwardable/etchlibs/headers.txt:HTTP/1.1 401 Authorization Required
nonforwardable/etchlibs/headers.txt:HTTP/1.1 200 OK
nonforwardable/lennylibs/headers.txt:HTTP/1.1 401 Authorization Required
0 [EMAIL PROTECTED]:~/src/curl/9$
There was no significant time delay under any of these tests -- they
all completed in < 1 second, once the initial DNS queries had been
cached.
What does this tell you? Is there anything else i can do to help debug?
Thanks for looking into this. Do you have any recommended
documentation for understanding the nuances of krb5 forwarding and
proxying? I clearly need to read up on this stuff more.
Regards,
--dkg
pgpf45vVhd4Gx.pgp
Description: PGP signature
