Dear all, we face a weird cross-realm-related issue after the upgrade to Heimdal 7.3 KDCs. The KDC replies with a wrong answer in case the cross-realm key does not exist. This happens with a Heimdal 1.2.1 KDC:
[wgs03] ~ % ssh -v -o GSSAPIAuthentication=yes lxplus.cern.ch [...] debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database ... and on the KDC side: Jul 4 08:26:17 kdc-1.2 kdc[13062]: TGS-REQ <myaccount>@MYREALM from IPv4:<MY-IP> for krbtgt/CERN.CH@MYREALM [renewable, forwardable] Jul 4 08:26:17 kdc-1.2 kdc[13062]: Server not found in database: krbtgt/CERN.CH@MYREALM: No such entry in the database Jul 4 08:26:17 kdc-1.2 kdc[13062]: Failed building TGS-REP to IPv4:<MY-IP> That's the correct behaviour. Now with a Heimdal 7.3 KDC: [wgs03] ~ % ssh -v -o GSSAPIAuthentication=yes lxplus.cern.ch [...] debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Cannot contact any KDC for realm 'MYREALM' ... and on the KDC side: Jul 4 08:33:46 kdc-7.3 kdc[12045]: TGS-REQ <myaccount>@MYREALM from IPv4:<MY-IP> for krbtgt/CERN.CH@MYREALM [renewable, forwardable] Jul 4 08:33:46 kdc-7.3 kdc[12045]: Server not found in database: krbtgt/CERN.CH@MYREALM: Success This answer seems to make the client think the KDC is somehow malfunctioning and repeats the request with any KDC combination (all KDCs it finds in /etc/krb5.conf on ports 88 and 750 here). Of course, it causes long timeouts before the ssh client gives up and asks for a password. Any idea to restore the old "Heimdal-1.2-style" behaviour? Is this considered a bug or misconfiguration? Thanks, Andreas -- | Andreas Haupt | E-Mail: [email protected] | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216
smime.p7s
Description: S/MIME cryptographic signature
