This is the mail archive of the
mailing list for the Cygwin project.
Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
- From: Jeffrey Altman <jaltman at openafs dot org>
- To: cygwin at cygwin dot com
- Date: Fri, 21 Jun 2013 12:54:52 -0400
- Subject: Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
- References: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD at EXMAIL dot hrl dot com>
On 6/14/2013 5:39 PM, Nogin, Aleksey wrote:
> I am experiencing the same error that Corinna Vinschen have reported on cygwin-apps mailing list about a year ago without any obvious resolution(*), and I was wondering whether somebody was able to resolve it since.
> I am running Heimdal's kinit (as came with MobaXterm 6.2) under Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL 5 and 6 boxes set up to use pam_krb to authenticate against the same Windows AD. gssapi-with-mic authentication succeeds, but credential delegation does not, and I see the same "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is an issue in my environment, where Kerberos-secured NFS is used to provide access to home directories.
> One thing I did notice is that when I ssh into an RHEL box, afterwards kinit on the client (Cygwin) side shows a ticket for the RHEL host (as expected), yet it shows that the ticket lacks the "forwardable" flag, which would probably explain the failure to delegate credentials. So perhaps this is a problem with the SSH client on the Cygwin end ("ssh -V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain "forwardable = yes" and in contract to how it happens on Cygwin, the Linux->Linux ssh that does delegate credentials correctly also does obtain a forwardable ticket on the client side.
> TIA for any help.
Going back to the original posting.
The Heimdal that is being used is MobaXTerm's kinit.
What Heimdal is it?
Is it a native Windows build?
The Secure Endpoints distribution which Microsoft LSA support and MIT
credential cache support?
Or the Heimdal that is packaged for Cygwin?
The Heimdal distribution matters because it will determine where the
krb5.conf configuration file is going to be stored. If you aren't sure,
use "SysInternals Process Monitor" to trace the "kinit.exe" process and
see what files it accesses.
When "kinit" is executed, is the "-f" parameter provided requesting a
"forwardable" ticket granting ticket?
If the ticket granting ticket (TGT) is not forwardable, then none of the
derived tickets will be. When delegating credentials it is the TGT that
is forwarded to the remote host, not the host/<hostname>@<REALM> service
ticket which is used solely for authentication.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple