HPE Community
Operating System - OpenVMS
1829624 Members
2077 Online
109992 Solutions
New Discussion

Kerberos: is KINIT once-only?

 
Andreas Freiherr
Advisor

‎03-19-2009 08:08 AM

‎03-19-2009 08:08 AM

Kerberos: is KINIT once-only?

Hello wizards,

Not sure whether this question belongs in "networking" or "security", it might touch both areas. Please move if deemed necessary.

I am installing CIFS (Samba) for OpenVMS on a DS20 running OpenVMS V8.3, and in the course of doing so, I want to join an existing active directory domain. Everything went smooth up to the point where I am supposed to verify my Kerberos setup by requesting a ticket using the "kinit" command: I can run the command and obtain a ticket, but this works only once per user process. If I "kdestroy" the ticket and then try to obtain another one, the kinit command seems to loop indefinitely. Here's a log:

$ kinit afreiherr
Password for afreiherr@EU.VISHAYINT.COM:
$ klist
Ticket cache: FILE:krb$user:[tmp]krb5cc_65540
Default principal: afreiherr@EU.VISHAYINT.COM

Valid starting Expires Service principal
03/19/09 11:33:45 03/19/09 21:33:47 krbtgt/EU.VISHAYINT.COM@EU.VISHAYINT.COM
renew until 03/20/09 11:33:45


Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache65540
KRB$KLIST: You have no tickets cached
$ kdestroy
$ klist
KRB$KLIST: No credentials cache found (ticket cache FILE:krb$user:[tmp]krb5cc_65540)



Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache65540
KRB$KLIST: You have no tickets cached
$ kinit afreiherr
Password for afreiherr@EU.VISHAYINT.COM:
VMHN04::_RTA2: 11:34:35 KRB$KINIT CPU=00:00:00.75 PF=2100 IO=1292 MEM=445
VMHN04::_RTA2: 11:34:36 KRB$KINIT CPU=00:00:00.82 PF=2100 IO=4001 MEM=445
VMHN04::_RTA2: 11:34:37 KRB$KINIT CPU=00:00:01.55 PF=2100 IO=26121 MEM=445
VMHN04::_RTA2: 11:34:38 KRB$KINIT CPU=00:00:02.28 PF=2100 IO=46293 MEM=445
VMHN04::_RTA2: 11:34:39 KRB$KINIT CPU=00:00:03.15 PF=2100 IO=70329 MEM=445
Interrupt

$ exit
$ klist
KRB$KLIST: No credentials cache found (ticket cache FILE:krb$user:[tmp]krb5cc_65540)



Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache65540
KRB$KLIST: You have no tickets cached
$

Note that the IO count, as displayed by Control-T, increases rapidly in the second kinit command. Any third and subsequent kinit (mis)behaves like the second one above.

The first kinit succeeds and returns within split-seconds, so I think the configuration might be close enough. Since there is no error message from the second attempt, I am lost without any hints or keywords to search for.

I found that logging out and back in allows me to obtain another, single ticket by issuing one more kinit. In contrast, shutting down Kerberos and restarting it (KRB$SHUTDOWN.COM / KRB$STARTUP.COM) without logging out/in does NOT give me another chance.

Has anybody seen this before? Any explanation, or even hints on how to fix it?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.