Dear all,

we face a weird cross-realm-related issue after the upgrade to Heimdal 7.3
KDCs. The KDC replies with a wrong answer in case the cross-realm key does
not exist. This happens with a Heimdal 1.2.1 KDC:

[wgs03] ~ % ssh -v -o GSSAPIAuthentication=yes lxplus.cern.ch
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

... and on the KDC side:

Jul  4 08:26:17 kdc-1.2 kdc[13062]: TGS-REQ <myaccount>@MYREALM from 
IPv4:<MY-IP> for krbtgt/CERN.CH@MYREALM [renewable, forwardable]
Jul  4 08:26:17 kdc-1.2 kdc[13062]: Server not found in database: 
krbtgt/CERN.CH@MYREALM: No such entry in the database
Jul  4 08:26:17 kdc-1.2 kdc[13062]: Failed building TGS-REP to IPv4:<MY-IP>

That's the correct behaviour. Now with a Heimdal 7.3 KDC:

[wgs03] ~ % ssh -v -o GSSAPIAuthentication=yes lxplus.cern.ch
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot contact any KDC for realm 'MYREALM'

... and on the KDC side:

Jul  4 08:33:46 kdc-7.3 kdc[12045]: TGS-REQ <myaccount>@MYREALM from 
IPv4:<MY-IP> for krbtgt/CERN.CH@MYREALM [renewable, forwardable]
Jul  4 08:33:46 kdc-7.3 kdc[12045]: Server not found in database: 
krbtgt/CERN.CH@MYREALM: Success


This answer seems to make the client think the KDC is somehow malfunctioning
and repeats the request with any KDC combination (all KDCs it finds in
/etc/krb5.conf on ports 88 and 750 here). Of course, it causes long timeouts
before the ssh client gives up and asks for a password.

Any idea to restore the old "Heimdal-1.2-style" behaviour? Is this
considered a bug or misconfiguration?

Thanks,
Andreas
-- 
| Andreas Haupt            | E-Mail: andreas.ha...@desy.de
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to