This is the mail archive of the
cygwin
mailing list for the Cygwin project.
RE: Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
- From: "Nogin, Aleksey" <anogin at hrl dot com>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Mon, 24 Jun 2013 22:23:21 -0700
- Subject: RE: Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
- References: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD at EXMAIL dot hrl dot com> <51C4855C dot 5050206 at openafs dot org>
Jeffrey Altman wrote:
> > I am running Heimdal's kinit (as came with MobaXterm 6.2) under
> > Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL
> > 5 and 6 boxes set up to use pam_krb to authenticate against the same
> > Windows AD. gssapi-with-mic authentication succeeds, but credential
> > delegation does not, and I see the same "unknown mech-code 2529639054
> > for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is
> > an issue in my environment, where Kerberos-secured NFS is used to
> > provide access to home directories.
> >
> > One thing I did notice is that when I ssh into an RHEL box, afterwards
> > kinit on the client (Cygwin) side shows a ticket for the RHEL host (as
> > expected), yet it shows that the ticket lacks the "forwardable" flag,
> > which would probably explain the failure to delegate credentials. So
> > perhaps this is a problem with the SSH client on the Cygwin end ("ssh -
> > V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than
> > Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain
> > "forwardable = yes" and in contract to how it happens on Cygwin, the
> > Linux->Linux ssh that does delegate credentials correctly also does
> > obtain a forwardable ticket on the client side.
>
> Going back to the original posting.
>
> The Heimdal that is being used is MobaXTerm's kinit.
>
> What Heimdal is it?
"kinit --version" reports "kinit (Heimdal 1.5.2)". That said, things look exactly the same with plain Cygwin (which reports the same version of Heimdal)
[snip]
> The Heimdal distribution matters because it will determine where the
> krb5.conf configuration file is going to be stored. If you aren't sure,
> use "SysInternals Process Monitor" to trace the "kinit.exe" process and
> see what files it accesses.
The configuration is stored in /etc/krb5.conf (behavior changes depending on the contents of that(. I am using the exact same krb5.conf that works correctly on RHEL.
> When "kinit" is executed, is the "-f" parameter provided requesting a
> "forwardable" ticket granting ticket?
No, but I have "forwardable = yes" under "[libdefaults]" in krb5.conf. I can run "klist -vvv" and I see that the flags are as follows:
Server: krbtgt/REALM@REALM
Client: anogin@REALM
[...]
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless
Server: host/sshserver@REALM
Client: anogin@REALM
[...]
Ticket flags: pre-authent
Addresses: addressless
Again, the above is the same with "plain" Cygwin.