Nico Williams wrote:
> On Thu, Aug 10, 2017 at 09:24:08AM +0700, Victor Sudakov wrote:
> > 1. The 7.x kdc did not understand the heimdal.db Kerberos database
> > created by 1.5.2. Are they not compatible? What should I know about
> > this?
>
> Looking at differences in lib/hdb/hdb.asn1... they
On Wed, Aug 09, 2017 at 09:34:32PM -0500, Nico Williams wrote:
>
> FreeBSD hasn't upgraded yet? I thought it had.
Nobody was even willing to think about it until there was an official
release to upgrade to. And now one of the likely suspects to do that
work is investigating an MIT krb5 import
On Thu, Aug 10, 2017 at 09:24:08AM +0700, Victor Sudakov wrote:
> 1. The 7.x kdc did not understand the heimdal.db Kerberos database
> created by 1.5.2. Are they not compatible? What should I know about
> this?
Looking at differences in lib/hdb/hdb.asn1... they should be compatible.
Is it
Roland C. Dowdeswell wrote:
>
> > Now if I destroy the expired ticket by "kdestroy
> > --credential=host/techno..."
> > a new ticket is received and gssapi-with-mic is again successful until
> > the new tickets expires again.
> >
> > I'm beginning to think of a cron job which would destroy
On Wed, Aug 09, 2017 at 09:58:04PM +0700, Victor Sudakov wrote:
>
> Now if I destroy the expired ticket by "kdestroy --credential=host/techno..."
> a new ticket is received and gssapi-with-mic is again successful until
> the new tickets expires again.
>
> I'm beginning to think of a cron job
On Wed, Aug 09, 2017 at 03:06:37PM -0400, Roland C. Dowdeswell wrote:
> It appears that Heimdal 1.5 had incorrect behaviour. The ccache code
> should skip expired credentials when finding service tickets. This looks
> like it was fixed by the following commit:
>
> commit
On Wed, Aug 09, 2017 at 03:01:16PM -0400, Jeffrey Altman wrote:
> I hope this is an unnecessary question, but will all Kerberos libraries
> that parse the file cache know to skip the expired entries and keep
> searching? Or are there implementations that will only return the first
> service
On Wed, Aug 09, 2017 at 01:44:56PM -0500, Nico Williams wrote:
> We do need to re-think re-initialization in the new locking regimen --
> re-init via truncation probably works well enough right now, but mostly
> by accident.
Ah, right, we never do that.
On Wed, Aug 09, 2017 at 06:34:27PM +, Viktor Dukhovni wrote:
> On Wed, Aug 09, 2017 at 01:11:07PM -0500, Nico Williams wrote:
> > On Wed, Aug 09, 2017 at 06:01:26PM +, Viktor Dukhovni wrote:
> > > On Wed, Aug 09, 2017 at 07:34:15PM +0200, Harald Barth wrote:
> > >
> > > > Btw, one of my
On Wed, Aug 09, 2017 at 02:25:11PM -0400, Roland C. Dowdeswell wrote:
> On Wed, Aug 09, 2017 at 01:11:07PM -0500, Nico Williams wrote:
> > Actually, no, the FILE ccache does support deletion, certainly in
> > Heimdal 7.x.
>
> Well, we can invalidate entries but I don't think that we can re-use
>
On Wed, Aug 09, 2017 at 01:11:07PM -0500, Nico Williams wrote:
> On Wed, Aug 09, 2017 at 06:01:26PM +, Viktor Dukhovni wrote:
> > On Wed, Aug 09, 2017 at 07:34:15PM +0200, Harald Barth wrote:
> >
> > > Btw, one of my ticket caches looks like this (probably MIT library):
> > >
> > > Issued
On Wed, Aug 09, 2017 at 06:01:26PM +, Viktor Dukhovni wrote:
> On Wed, Aug 09, 2017 at 07:34:15PM +0200, Harald Barth wrote:
>
> > Btw, one of my ticket caches looks like this (probably MIT library):
> >
> > IssuedExpires Principal
> > Aug 5 18:06:47 2017
On Wed, Aug 09, 2017 at 07:34:15PM +0200, Harald Barth wrote:
> Btw, one of my ticket caches looks like this (probably MIT library):
>
> IssuedExpires Principal
> Aug 5 18:06:47 2017 Aug 12 18:06:45 2017
> krbtgt/besserwisser@besserwisser.org
> Aug 5
> debug1: Next authentication method: gssapi-with-mic
> debug1: The context has expired
That looks to me like a bug where the library actually should try to
get a new service ticket from the TGT. I don't know if that works in
any heimdal libkrb as most often (at least in my use case) the TGT
Victor Sudakov wrote:
> > Against what gssapi library is your ssh linked
>
> Heimdal 1.5.2 from the FreeBSD 10.3 base system.
>
> > and what does ssh -vvv
> > reveal why gssapi does not proceed?
>
> Next time a service ticket expires, I'll post it here. But don't hold
> your breath, it's
Against what gssapi library is your ssh linked and what does ssh -vvv
reveal why gssapi does not proceed?
Harald.
16 matches
Mail list logo