This is the mail archive of the
mailing list for the Cygwin project.
Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
- From: "Nogin, Aleksey" <anogin at hrl dot com>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Fri, 14 Jun 2013 14:39:15 -0700
- Subject: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
I am experiencing the same error that Corinna Vinschen have reported on cygwin-apps mailing list about a year ago without any obvious resolution(*), and I was wondering whether somebody was able to resolve it since.
I am running Heimdal's kinit (as came with MobaXterm 6.2) under Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL 5 and 6 boxes set up to use pam_krb to authenticate against the same Windows AD. gssapi-with-mic authentication succeeds, but credential delegation does not, and I see the same "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is an issue in my environment, where Kerberos-secured NFS is used to provide access to home directories.
One thing I did notice is that when I ssh into an RHEL box, afterwards kinit on the client (Cygwin) side shows a ticket for the RHEL host (as expected), yet it shows that the ticket lacks the "forwardable" flag, which would probably explain the failure to delegate credentials. So perhaps this is a problem with the SSH client on the Cygwin end ("ssh -V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain "forwardable = yes" and in contract to how it happens on Cygwin, the Linux->Linux ssh that does delegate credentials correctly also does obtain a forwardable ticket on the client side.
TIA for any help.
(*) The last message of the thread at http://cygwin.com/ml/cygwin-apps/2012-03/msg00156.html ends with "Oh well, I guess I just give up. You proved that it works and I'm trying a pretty unlikely combination." I guess I am trying an unlikely combination too :-(
(**) Here is the full output (RHEL 5 version; RHEL 6 is virtually the same, with OpenSSH_5.3 on the other end).
% ssh -v XXXhostXXX
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/mobaxterm/.ssh/config
debug1: /home/mobaxterm/.ssh/config line 24: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to XXXhostXXX [IP.IP.IP.IP] port 22.
debug1: Connection established.
debug1: identity file /home/mobaxterm/.ssh/id_rsa type 1
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: identity file /home/mobaxterm/.ssh/id_dsa type -1
debug1: identity file /home/mobaxterm/.ssh/id_dsa-cert type -1
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa type -1
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 email@example.com
debug1: kex: client->server aes128-ctr hmac-md5 firstname.lastname@example.org
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA XX:XX:XX:...
debug1: Host 'XXXhostXXX' is known and matches the RSA host key.
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:16
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure (see text)
unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to XXXhostXXX ([IP.IP.IP.IP]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: No xauth program.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple