HPE Community
Operating System - HP-UX
1820254 Members
2920 Online
109622 Solutions
New Discussion юеВ

Kerberos Credentials Cache not working - gss_krb5_copy_ccache() failed

 
A. Wood
New Member

тАО11-05-2008 09:32 PM

тАО11-05-2008 09:32 PM

Kerberos Credentials Cache not working - gss_krb5_copy_ccache() failed

I'm hoping that someone can help with a problem I'm seeing with GSSAPI cache forwarding. Specifically on HP-UX 11.23, whether forwarding credentials from a Windows Client using the Quest kerberized PuTTY or from another Kerberos enabled HP-UX installation (11.11), I get an error in the auth.log. I have included a full transcript of the process I'm using to test and attached the krb5.conf file for reference. My questions are:

- Whats causing the gss_krb5_copy_ccache() failed in auth.log?
- Why the difference in cache file names between an interactive login (krb5cc_[PPID]_[PID]) and the gssapi session (krb5cc_[UID])?

At this point any lead would be greatly appreciated.

Thanks

Adrian

------------- Transcript of testing --------
# uname -a
HP-UX myhost B.11.23 U ia64 3992592774 unlimited-user license

# swlist ...

KRB5-Client B.11.23 Kerberos V5 Client Version 1.0
PAM-Kerberos C.01.24 PAM-Kerberos Version 1.24
krb5client D.1.6.2 Kerberos V5 Client Version 1.6.2
PHSS_34991 1.0 KRB5-Client Version 1.0 Cumulative patch

# klist -keK

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/myhost.mydomain.local@MYDOMAIN.LOCAL (ArcFour with HMAC/md5) (0x13ecc6b07bc1fe82b6d635fc56f8b2e7)

# kinit -k
# klist -ef
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/myhost.mydomain.local@MYDOMAIN.LOCAL

Valid starting Expires Service principal
11/06/08 13:37:22 11/06/08 23:37:22 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
renew until 11/06/08 23:37:22, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

# kdestroy
# kinit user1
# klist -ef
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: usera@MYDOMAIN.LOCAL

Valid starting Expires Service principal
11/06/08 13:38:46 11/06/08 23:38:46 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
renew until 11/06/08 23:38:46, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

# kdestroy

[Log-off and log back in using interactive SSH session (i.e. prompted for userid and password)]

# klist -ef
Ticket cache: FILE:/tmp/krb5cc_8260_8570
Default principal: usera@MYDOMAIN.LOCAL

Valid starting Expires Service principal
11/06/08 13:50:08 11/06/08 23:50:08 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
renew until 11/06/08 23:50:08, Flags: RIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

# kdestroy

[Log-off and log back in using kerberised SSH client via GSSAPI (i.e. not prompted for userid and password)]

Logon banner includes:

Using username "usera".
Using GSSAPI service principal name "host/myhost.mydomain.local".

# klist -ef
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

Extract from /var/adm/syslog/auth.log reads:

Nov 6 13:54:06 myhost sshd[8666]: Connection from 10.228.114.148 port 2365
Nov 6 13:54:06 myhost sshd[8666]: Failed none for usera from 10.228.114.148 port 2365 ssh2
Nov 6 13:54:06 myhost sshd[8666]: Authorized to usera, krb5 principal usera@MYDOMAIN.LOCAL (krb5_kuserok)
Nov 6 13:54:06 myhost sshd[8666]: Accepted gssapi-with-mic for usera from 10.228.114.148 port 2365 ssh2
Nov 6 13:54:06 myhost sshd[8666]: Pam Creds are not available
Nov 6 13:54:06 myhost sshd[8669]: gss_krb5_copy_ccache() failed
0 Kudos
Reply
5 REPLIES 5
Sameer_Nirmal
Honored Contributor

тАО11-07-2008 01:02 PM

тАО11-07-2008 01:02 PM

Re: Kerberos Credentials Cache not working - gss_krb5_copy_ccache() failed

The cause of the failure of gss_krb5_copy_ccache() seems to be non availability of the kerberos credentials cache.

klist: No credentials cache found

What is the version of secure shell installed on the HP-UX 11.23 box?

What do you get by running command when using GSSAPI
# pamkrbval -v
0 Kudos
Reply
A. Wood
New Member

тАО11-09-2008 02:50 PM

тАО11-09-2008 02:50 PM

Re: Kerberos Credentials Cache not working - gss_krb5_copy_ccache() failed

# swlist | grep -i "secure shell"
T1471AA A.05.10.007 HP-UX Secure Shell

# pamkrbval -a ia64 -v

Validating the pam configuration files
---------- --- --- ------------- -----

Validating the /etc/pam.conf file
[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf

[PASS] : The validation of config file: /etc/pam.conf passed

[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
as libpam_updbe library is not configured

Validating the kerberos config file
---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

Connecting to default Realm
---------- -- ------- -----
[LOG] : The default realm is : MYDOMAIN.LOCAL
[LOG] : KDC hosts for realm MYDOMAIN.LOCAL :dc1.mydomain.local
dc2.mydomain.local
[LOG] : Trying to contact KDC for realm MYDOMAIN.LOCAL...
[LOG] : Realm MYDOMAIN.LOCAL is answering ticket requests
[PASS] : Default Realm is issuing tickets

Validating the keytab entry for the host service principal
---------- --- ------ ----- --- --- ---- ------- ---------
[LOG] : Host myhost, aka myhost.mydomain.local
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
Keytab entry
Principal: host
Host : myhost.mydomain.local
Realm : MYDOMAIN.LOCAL
Version : 5
[LOG] : Pinging KDC to verify whether host/myhost.mydomain.local@MYDOMAIN.LOCAL exists
[LOG] : The keytab entry for the host service principal host/myhost.mydomain.local@MYDOMAIN.LOCAL is valid
[PASS] : The keytab validation is successful

Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

тАО11-10-2008 03:15 PM

тАО11-10-2008 03:15 PM

Re: Kerberos Credentials Cache not working - gss_krb5_copy_ccache() failed

It looks like the secure shell server is setup to use password authentication using PAM kerberos. That's why the use is able log in using interactive username/password. It's not setup for GSSAPI authentication.

When GSSAPI is attempted which seems to be setup at secure shell client end, the user is not able to log in.
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) indicates the cache for uid 0 and it was destroyed by running kdestroy earlier and it's being reverting back to the user root so the error.

Refer the procedure to setup GSSAPI authentication.
http://docs.hp.com/en/5991-7493/ch04s04.html#babcfhjbo

To answer your second question about different cache filenames /tmp/krb5cc__ indicates a session cache created by sshd once the session is estaliblished after successful authentication.
/tmp/krb5cc_ - Client credential file create by kinit for a user with UID
0 Kudos
Reply
A. Wood
New Member

тАО11-10-2008 06:22 PM

тАО11-10-2008 06:22 PM

Re: Kerberos Credentials Cache not working - gss_krb5_copy_ccache() failed

Sameer

There seems to be a point of confusion - the GSSAPI configuration of SSH is enabled and the user is certainly able to logon. The issue is retention of the forwarded kerberos credentials i.e. the credentials aren't being persisted to cache on the server end of the transaction.
0 Kudos
Reply
A. Wood
New Member

тАО11-13-2008 07:31 PM

тАО11-13-2008 07:31 PM

Re: Kerberos Credentials Cache not working - gss_krb5_copy_ccache() failed

I have worked out that the issue is related to an option on the client end. In this case the client is the Quest PuTTY client and the "Delegate credentials" configuration option under Connection -> SSH -> GSSAPI was ticked. I have unticked the option and I no longer get the gss_krb5_copy_ccache() failed error.

I have not worked through this entirely but the help text in PuTTY suggests that this option is applicable if the computer account has the "Trust this computer for delegation". This is the case for me but it doesn't seem to work as described.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.