Hi Jeffrey, On Mon, 2017-07-10 at 08:32 -0400, Jeffrey Hutzelman wrote: > This is a bug in the kdc, or possibly two bugs. First, the database lookup > failed and no entry was returned, but the error code was not set and so > remained zero, which com_err translates as "Success". > > Second, the kdc is not sending any response at all. That causes the client > to eventually time out and try another kdc. When it runs out of kdcs, it > reports an error (unable to contact any kdc in realm). > > you can confirm this by watching traffic between your client and kdc on > port 88, using your favorite packet-capture tool.
Exact! That's indeed the problem here! Just moved on to real test systems now. 141.34.32.72 -> SL7 client (GSSAPI-enabled system's ssh) 141.34.22.251 -> Heimdal-7.3 server The test client only knows about the test Heimdal-7.3 server 141.34.22.251. --- [chap-vm1] ~ % ssh -vvv lxplus.cern.ch OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 [...] debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Cannot contact any KDC for realm 'IFH.DE' [...] Password: --- This is what is captured as traffic between client and KDC: --- [chap-vm1] /root # tshark host test-kdc -t a Running as user "root" and group "root". This could be dangerous. Capturing on 'eth0' 1 16:06:43.529842068 141.34.32.72 -> 141.34.22.251 KRB5 990 TGS-REQ 2 16:06:44.532691656 141.34.32.72 -> 141.34.22.251 UDP 990 Source port: 48551 Destination port: loadav 3 16:06:45.533928362 141.34.32.72 -> 141.34.22.251 TCP 74 52164 > kerberos [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1035010913 TSecr=0 WS=128 4 16:06:45.534376809 141.34.22.251 -> 141.34.32.72 TCP 74 kerberos > 52164 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1816942862 TSecr=1035010913 WS=128 5 16:06:45.534427289 141.34.32.72 -> 141.34.22.251 TCP 66 52164 > kerberos [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1035010914 TSecr=1816942862 6 16:06:45.534545716 141.34.32.72 -> 141.34.22.251 KRB5 1018 TGS-REQ 7 16:06:45.534903298 141.34.22.251 -> 141.34.32.72 TCP 66 kerberos > 52164 [ACK] Seq=1 Ack=953 Win=30976 Len=0 TSval=1816942863 TSecr=1035010914 8 16:06:45.536931301 141.34.22.251 -> 141.34.32.72 TCP 66 kerberos > 52164 [FIN, ACK] Seq=1 Ack=953 Win=30976 Len=0 TSval=1816942865 TSecr=1035010914 9 16:06:45.537047128 141.34.32.72 -> 141.34.22.251 TCP 66 52164 > kerberos [FIN, ACK] Seq=953 Ack=2 Win=29312 Len=0 TSval=1035010916 TSecr=1816942865 10 16:06:45.542447536 141.34.22.251 -> 141.34.32.72 TCP 66 kerberos > 52164 [ACK] Seq=2 Ack=954 Win=30976 Len=0 TSval=1816942870 TSecr=1035010916 11 16:06:48.536256407 141.34.32.72 -> 141.34.22.251 KRB5 990 TGS-REQ 12 16:06:49.537370582 141.34.32.72 -> 141.34.22.251 UDP 990 Source port: 48551 Destination port: loadav 13 16:06:54.542592820 141.34.32.72 -> 141.34.22.251 KRB5 990 TGS-REQ 14 16:06:55.543675219 141.34.32.72 -> 141.34.22.251 UDP 990 Source port: 48551 Destination port: loadav --- And the matching KDC logs: --- Jul 11 16:06:43 chip-vm8 kdc[17992]: TGS-REQ aha...@ifh.de from IPv4:141.34.32.72 for host/lxplus010.cern...@ifh.de [canonicalize, renewable, forwardable] Jul 11 16:06:43 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch Jul 11 16:06:43 chip-vm8 kdc[17992]: Server not found in database: krbtgt/cern...@ifh.de: Success Jul 11 16:06:44 chip-vm8 kdc[17992]: TGS-REQ aha...@ifh.de from IPv4:141.34.32.72 for host/lxplus010.cern...@ifh.de [canonicalize, renewable, forwardable] Jul 11 16:06:44 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch Jul 11 16:06:44 chip-vm8 kdc[17992]: Server not found in database: krbtgt/cern...@ifh.de: Success Jul 11 16:06:45 chip-vm8 kdc[17992]: TGS-REQ aha...@ifh.de from IPv4:141.34.32.72 for host/lxplus010.cern...@ifh.de [canonicalize, renewable, forwardable] Jul 11 16:06:45 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch Jul 11 16:06:45 chip-vm8 kdc[17992]: Server not found in database: krbtgt/cern...@ifh.de: Success Jul 11 16:06:48 chip-vm8 kdc[17992]: TGS-REQ aha...@ifh.de from IPv4:141.34.32.72 for host/lxplus010.cern...@ifh.de [canonicalize, renewable, forwardable] Jul 11 16:06:48 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch Jul 11 16:06:48 chip-vm8 kdc[17992]: Server not found in database: krbtgt/cern...@ifh.de: Success Jul 11 16:06:49 chip-vm8 kdc[17992]: TGS-REQ aha...@ifh.de from IPv4:141.34.32.72 for host/lxplus010.cern...@ifh.de [canonicalize, renewable, forwardable] Jul 11 16:06:49 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch Jul 11 16:06:49 chip-vm8 kdc[17992]: Server not found in database: krbtgt/cern...@ifh.de: Success Jul 11 16:06:54 chip-vm8 kdc[17992]: TGS-REQ aha...@ifh.de from IPv4:141.34.32.72 for host/lxplus010.cern...@ifh.de [canonicalize, renewable, forwardable] Jul 11 16:06:54 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch Jul 11 16:06:54 chip-vm8 kdc[17992]: Server not found in database: krbtgt/cern...@ifh.de: Success Jul 11 16:06:55 chip-vm8 kdc[17992]: TGS-REQ aha...@ifh.de from IPv4:141.34.32.72 for host/lxplus010.cern...@ifh.de [canonicalize, renewable, forwardable] Jul 11 16:06:55 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch Jul 11 16:06:55 chip-vm8 kdc[17992]: Server not found in database: krbtgt/cern...@ifh.de: Success --- Opened bug report: https://github.com/heimdal/heimdal/issues/299 Cheers, Andreas -- | Andreas Haupt | E-Mail: andreas.ha...@desy.de | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216
smime.p7s
Description: S/MIME cryptographic signature