You can import an MIT database into Heimdal with hprop. Google for the details, but you export a MIT dump file with some specific options and then use hprop to read it into Heimdal. There's some place in Switzerland that is running Heimdal slaves to MIT masters in order to respond to AFS authentication requests. (Note there is currently no code to go the other direction.)
Also Heimdal and MIT clients will happily use the other's servers.
On Feb 2, 2005, at 12:56 AM, [EMAIL PROTECTED] wrote:
------------------------------------------------------------------------ ----Date: Wed, 02 Feb 2005 10:54:31 +0200 From: Priit Randla <[EMAIL PROTECTED]> To: kerberos@mit.edu Subject: MIT + Heimdal + openssh == cross realm difficulties Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii; format=flowed MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: list Message: 12
Hello,
I already posted following message to heimdal-discuss mailinglist, but, as the
problem involves also MIT Kerberos 5, I'll try my luck here also...
Maybe somebody here is able to help me with my problem involving Heimdal, MIT and openssh... Currently we've got a mixed Kerberos 5 infrastructure in place - MIT Kerberos5 + Windows AD stuff. Usual stuff - user data on LDAP, password verification with Kerberos. Our applications are relying on ticket-forwarding extensively, so whatever we do, ticket forward has to work. Now, as we're changing our Linux-platform to SuSe, we're going to migrate to Heimdal. Unfortunately ;-) until we're finished with migration, we've got to run both MIT and Heimdal clients and kdc's - so I've got to implement some kind of cross realm trust between our 3 Kerberos realms (MIT, Heimdal, AD). As a first step, i'd like to get cross-realm authentication to work for openssh with gssapi.
What I've got: MIT kdc and clients are version 1.3.4 Heimdal kdc and clients are 0.6.1rc3 as found in SuSe 9.0 I tried various versions of openssh, currently i've got latest-and-greatest 3.9p1 with patches for #918 and #922 from bugzilla on both MIT and Heimdal based computers. Let's say I've got realms: AAA default on MIT based machines, BBB on Heimdal ones.
What I've done:
1. Installed Heimdal kdc, created realm BBB and some principals for
users and involved hosts.
2. Battled pam on SuSe to obtain TGT on login, verified, that ticket
forward works within realm BBB.
3. Created principals for cross-realm authentication: krbtgt/[EMAIL PROTECTED] and
krbtgt/[EMAIL PROTECTED] on both MIT and Heimdal kdc's,
verified that kvno's, enctypes and passwords are all the same.
4. Verified, that both ssh_config contains options GSSAPIAuthentication
yes,GSSAPIDelegateCredentials yes ; sshd_config
has GSSAPIAuthentication yes.
5. Verified that I can do kgetcred krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED],
tgt for [EMAIL PROTECTED] is forwardable, others aren't.
Now, when I attempt ssh connection as [EMAIL PROTECTED] on 172.26.209.15 using
MIT to machine srv1.bbb which uses Heimdal, i got following debug
information:
...
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Miscellaneous failure
Requested effective lifetime is negative or too short ( -> Kerberos
error KRB5KDC_ERR_NEVER_VALID )
debug1: Trying to start again
.... and ssh prompts for a password.
MIT kdc (AAA) log says:
Feb 1 10:25:39 [EMAIL PROTECTED] krb5kdc[20593]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.26.209.15: ISSUE: authtime 1107246339,
etypes {rep=1 tkt=1 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Feb 1 10:26:35 [EMAIL PROTECTED] krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Feb 1 10:26:35 [EMAIL PROTECTED] krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1
ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Heimdal kdc (BBB) logs says: TGS-REQ [EMAIL PROTECTED] from IPv4:172.26.209.15 for host/[EMAIL PROTECTED] [renewable, forwardable] Client not found in database: [EMAIL PROTECTED]: No such entry in the database cross-realm AAA -> BBB sending 131 bytes to IPv4:172.26.209.15
krb5.conf has both realms described on all involved computers and ticket
forward works for AAA->AAA and BBB->BBB.
Where should I look next? Anything? Kindly please ... :-).
Priit
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
