Re: Trouble with multiple kerberos ticket caches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

Am 06.05.25 um 21:54 schrieb Orion Poplawski:

More details.  The issue seems to arise when doing gssapi delegation from a
macOS client to the Linux box.  If I have ticket on macOS:

Ticket cache: API:427671FC-DB63-442F-ACA4-13A9194F4398
Default principal: user@xxxxxxxxxxx

Valid starting     Expires            Service principal
05/06/25 13:29:54  05/06/25 23:29:54  krbtgt/AD.NWRA.COM@xxxxxxxxxxx
         renew until 05/13/25 13:29:50
05/06/25 13:30:30  05/06/25 23:29:54  krbtgt/NWRA.COM@xxxxxxxxxxx
05/06/25 13:30:30  05/06/25 23:29:54  host/host@xxxxxxxx

and ssh to the Linux box, I can't access the nfs mount:

-bash: /home/user/.bash_profile: Permission denied

Ticket cache: KEYRING:persistent:30657:krb_ccache_efgrZpc
Default principal: user@xxxxxxxxxxx

Valid starting     Expires            Service principal
05/06/25 13:30:30  05/06/25 23:29:54  krbtgt/AD.NWRA.COM@xxxxxxxxxxx

I also notice that the ticket is non-renewable.

If I then kinit I can access the home directory fine.  Other than the new
ticket being renewable I don't see any difference:

Ticket cache: KEYRING:persistent:30657:krb_ccache_efgrZpc
Default principal: user@xxxxxxxxxxx

Valid starting     Expires            Service principal
05/06/25 13:31:27  05/06/25 23:31:27  nfs/server@xxxxxxxx
         renew until 05/13/25 13:31:22
05/06/25 13:31:27  05/06/25 23:31:27  krbtgt/NWRA.COM@xxxxxxxxxxx
         renew until 05/13/25 13:31:22
05/06/25 13:31:27  05/06/25 23:31:27  krbtgt/AD.NWRA.COM@xxxxxxxxxxx
         renew until 05/13/25 13:31:22

Actually, I also notice now that there is a krbtgt/NWRA.COM principal as well.
  I wonder if that is the difference.
Can you please check and compare the output of 'klist -ef' (which includes additional info on enctypes and flags) in both cases? It sounds like the macOS client is forwarding a ticket that is not accepted by the Linux client's krb5 library. This could happen if eg. the default_tgs_enctypes configured in krb5.conf on the macOS side is incompatible with the permitted_enctypes in krb5.conf on the Linux side. 

Kind regards,

Daniel
--
Daniel Kobras
Principal Architect
Puzzle ITC Deutschland
+49 7071 14316 0
www.puzzle-itc.de

--
Puzzle ITC Deutschland GmbH
Sitz der Gesellschaft: Eisenbahnstraße 1, 72072 Tübingen 

Eingetragen am Amtsgericht Stuttgart HRB 765802
Geschäftsführer: Lukas Kallies, Daniel Kobras, Mark Pröhl
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux