Thread: [Perlgssapi-users] context init without exising cache
Brought to you by:
achimgrolms
Menu
▾
▴
perlgssapi-users
|
From: Stijn De W. <sti...@ug...> - 2016-10-10 18:55:26
|
hi all, following the example code in http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm i manage to create and list the credentials on a system were no cache existed before on centos7 (perl-5.16.3-286.el7.x86_64 krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64) running with KRB5_TRACE=/dev/stdout, i get > using Name host/fqdn@REALM > Security context's time to live 74391 secs > seems everything is fine, type klist to see the ticket > [5408] 1476125005.968256: Getting credentials host/fqdn@REALM -> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ > [5408] 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from DIR::/tmp/x1/tktgfp8aQ with result: 0/Success > [5408] 1476125005.968609: Creating authenticator for host/fqdn@REALM -> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session key aes256-cts/BB8B and afterwards klist shows expected (fqdn and REALM are replaced) however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64 krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64), i get > [8576] 1476125499.295546: ccselect can't find appropriate cache for server principal host/fqdn@REALM > using Name host/fqdn@REALM > Errors: Unspecified GSS failure. Minor code may provide more information > Credentials cache file '/tmp/krb5cc_0' not found > major 851968 minor 2529639107 my question is: what GSSAPI and/or krb5 version is required to be able to create a credential cache where non-existed before? or can someone shed some light on the error above? many thanks, stijn |
|
From: Stijn De W. <sti...@ug...> - 2016-10-11 06:16:42
|
hi achim,
> just to be sure: The output from both commands with the same kerberos-config?
> Only the versions of Kerberos-libraries differ?
the only difference on el7 is the
"default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
(but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
works)
>
> In both cases you have run sucessfully the kinit before and have a valid TGT?
kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
without a valid TGT present (ie an empty cache). so the output is
produced without a valid TGT present.
stijn
>
> Best Regards,
> Achim
>
>
>
> On Monday 10 October 2016, Stijn De Weirdt wrote:
>> hi all,
>>
>> following the example code in
>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
>> i manage to create and list the credentials on a system were no cache
>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
>>
>> running with KRB5_TRACE=/dev/stdout, i get
>>
>>> using Name host/fqdn@REALM
>>> Security context's time to live 74391 secs
>>> seems everything is fine, type klist to see the ticket
>>>
>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408] 1476125005.968609:
>>> Creating authenticator for host/fqdn@REALM -> host/fqdn@REALM, seqnum
>>> 252462246, subkey aes256-cts/CBEE, session key aes256-cts/BB8B
>>
>> and afterwards klist shows expected
>>
>> (fqdn and REALM are replaced)
>>
>>
>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
>> i get
>>
>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
>>> server principal host/fqdn@REALM
>>>
>>> using Name host/fqdn@REALM
>>>
>>> Errors: Unspecified GSS failure. Minor code may provide more information
>>> Credentials cache file '/tmp/krb5cc_0' not found
>>> major 851968 minor 2529639107
>>
>> my question is: what GSSAPI and/or krb5 version is required to be able
>> to create a credential cache where non-existed before?
>>
>> or can someone shed some light on the error above?
>>
>> many thanks,
>>
>> stijn
>>
>> ---------------------------------------------------------------------------
>> --- Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Perlgssapi-users mailing list
>> Per...@li...
>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
|
|
From: Stijn De W. <sti...@ug...> - 2016-10-13 07:13:45
|
as a followup question, if getting the initial TGT is not part of
(older?) perl-GSSAPI, does anyone have any idea why this works on el7?
is it a change in the krb5 libs (and if so, does anyone have any idea
which versions have this?)
many thanks,
stijn
On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
> hi achim,
>
>> just to be sure: The output from both commands with the same kerberos-config?
>> Only the versions of Kerberos-libraries differ?
> the only difference on el7 is the
> "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
> (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
> works)
>
>>
>> In both cases you have run sucessfully the kinit before and have a valid TGT?
> kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
> without a valid TGT present (ie an empty cache). so the output is
> produced without a valid TGT present.
>
>
> stijn
>
>>
>> Best Regards,
>> Achim
>>
>>
>>
>> On Monday 10 October 2016, Stijn De Weirdt wrote:
>>> hi all,
>>>
>>> following the example code in
>>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
>>> i manage to create and list the credentials on a system were no cache
>>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
>>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
>>>
>>> running with KRB5_TRACE=/dev/stdout, i get
>>>
>>>> using Name host/fqdn@REALM
>>>> Security context's time to live 74391 secs
>>>> seems everything is fine, type klist to see the ticket
>>>>
>>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
>>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
>>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
>>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408] 1476125005.968609:
>>>> Creating authenticator for host/fqdn@REALM -> host/fqdn@REALM, seqnum
>>>> 252462246, subkey aes256-cts/CBEE, session key aes256-cts/BB8B
>>>
>>> and afterwards klist shows expected
>>>
>>> (fqdn and REALM are replaced)
>>>
>>>
>>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
>>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
>>> i get
>>>
>>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
>>>> server principal host/fqdn@REALM
>>>>
>>>> using Name host/fqdn@REALM
>>>>
>>>> Errors: Unspecified GSS failure. Minor code may provide more information
>>>> Credentials cache file '/tmp/krb5cc_0' not found
>>>> major 851968 minor 2529639107
>>>
>>> my question is: what GSSAPI and/or krb5 version is required to be able
>>> to create a credential cache where non-existed before?
>>>
>>> or can someone shed some light on the error above?
>>>
>>> many thanks,
>>>
>>> stijn
>>>
>>> ---------------------------------------------------------------------------
>>> --- Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Perlgssapi-users mailing list
>>> Per...@li...
>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Perlgssapi-users mailing list
> Per...@li...
> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
|
|
From: Achim G. <ac...@gr...> - 2016-10-13 10:11:02
|
On Thursday 13 October 2016, Stijn De Weirdt wrote:
> as a followup question, if getting the initial TGT is not part of
> (older?) perl-GSSAPI,
The Protocol and API GSSAPI is a layer on top of Kerberos and _other_
authentication "mechtypes".
So there is no "get a TGT" call in the GSSAPI specification, because the
concept "TGT" is "one layer below" and not in ther perl-wrapper around the C-
interface as defined in RFC 2744:
--------------------------------
Perl Interface GSSAPI.pm
--------------------------------
GSSAPI-Implementation of RFC 2744,
for Example Heimdal or MIT
--------------------------------
Kerberos5 implementation
for Example Heimdal or MIT
--------------------------------
> does anyone have any idea why this works on el7?
I have no idea why this works.
To be sure: you have run kdestroy first to ensure there is no valid TGT from
older requests?
> is it a change in the krb5 libs (and if so, does anyone have any idea
> which versions have this?)
I have no idea.
>
> many thanks,
>
> stijn
>
> On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
> > hi achim,
> >
> >> just to be sure: The output from both commands with the same
> >> kerberos-config? Only the versions of Kerberos-libraries differ?
> >
> > the only difference on el7 is the
> > "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
> > (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
> > works)
> >
> >> In both cases you have run sucessfully the kinit before and have a valid
> >> TGT?
> >
> > kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
> > without a valid TGT present (ie an empty cache). so the output is
> > produced without a valid TGT present.
> >
> >
> > stijn
> >
> >> Best Regards,
> >> Achim
> >>
> >> On Monday 10 October 2016, Stijn De Weirdt wrote:
> >>> hi all,
> >>>
> >>> following the example code in
> >>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
> >>> i manage to create and list the credentials on a system were no cache
> >>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
> >>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
> >>>
> >>> running with KRB5_TRACE=/dev/stdout, i get
> >>>
> >>>> using Name host/fqdn@REALM
> >>>> Security context's time to live 74391 secs
> >>>> seems everything is fine, type klist to see the ticket
> >>>>
> >>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
> >>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
> >>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
> >>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408]
> >>>> 1476125005.968609: Creating authenticator for host/fqdn@REALM ->
> >>>> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session
> >>>> key aes256-cts/BB8B
> >>>
> >>> and afterwards klist shows expected
> >>>
> >>> (fqdn and REALM are replaced)
> >>>
> >>>
> >>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
> >>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
> >>> i get
> >>>
> >>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
> >>>> server principal host/fqdn@REALM
> >>>>
> >>>> using Name host/fqdn@REALM
> >>>>
> >>>> Errors: Unspecified GSS failure. Minor code may provide more
> >>>> information Credentials cache file '/tmp/krb5cc_0' not found
> >>>> major 851968 minor 2529639107
> >>>
> >>> my question is: what GSSAPI and/or krb5 version is required to be able
> >>> to create a credential cache where non-existed before?
> >>>
> >>> or can someone shed some light on the error above?
> >>>
> >>> many thanks,
> >>>
> >>> stijn
> >>>
> >>> -----------------------------------------------------------------------
> >>> ---- --- Check out the vibrant tech community on one of the world's
> >>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >>> _______________________________________________
> >>> Perlgssapi-users mailing list
> >>> Per...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
> >
> > -------------------------------------------------------------------------
> > ----- Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Perlgssapi-users mailing list
> > Per...@li...
> > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
> ---------------------------------------------------------------------------
> --- Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Perlgssapi-users mailing list
> Per...@li...
> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
|
|
From: Stijn De W. <sti...@ug...> - 2016-10-13 11:46:47
|
hi achim,
thanks for clarifying.
yes, this works, eg on an el7 box (the script has only perl-GSSAPI, no
kinit)
> [root@fqdn tmp]# rm -Rf /tmp/x1/
> [root@fqdn tmp]# KRB5CCNAME=DIR:/tmp/x1 klist -A
> [root@fqdn tmp]# ./getcred_hostbased_n2205.pl
> verify with KRB5CCNAME=DIR:/tmp/x1 klist -A
> ENV{KRB5CCNAME} DIR:/tmp/x1
>
> using Name host/fqd...@HP...
> Security context's time to live 86400 secs
> seems everything is fine, type klist to see the ticket
> [root@fqdn tmp]# KRB5CCNAME=DIR:/tmp/x1 klist -A
> Ticket cache: DIR::/tmp/x1/tktvrgaxm
> Default principal: host/fqd...@HP...
>
> Valid starting Expires Service principal
> 10/13/2016 13:44:00 10/14/2016 13:44:00 krbtgt/REALM@REALM
> 10/13/2016 13:44:00 10/14/2016 13:44:00 host/fqdn@REALM
stijn
On 10/13/2016 11:58 AM, Achim Grolms wrote:
> On Thursday 13 October 2016, Stijn De Weirdt wrote:
>> as a followup question, if getting the initial TGT is not part of
>> (older?) perl-GSSAPI,
>
> The Protocol and API GSSAPI is a layer on top of Kerberos and _other_
> authentication "mechtypes".
>
> So there is no "get a TGT" call in the GSSAPI specification, because the
> concept "TGT" is "one layer below" and not in ther perl-wrapper around the C-
> interface as defined in RFC 2744:
>
>
> --------------------------------
> Perl Interface GSSAPI.pm
> --------------------------------
> GSSAPI-Implementation of RFC 2744,
> for Example Heimdal or MIT
> --------------------------------
> Kerberos5 implementation
> for Example Heimdal or MIT
> --------------------------------
>
>
>
>> does anyone have any idea why this works on el7?
>
> I have no idea why this works.
> To be sure: you have run kdestroy first to ensure there is no valid TGT from
> older requests?
>
>> is it a change in the krb5 libs (and if so, does anyone have any idea
>> which versions have this?)
>
> I have no idea.
>
>
>
>>
>> many thanks,
>>
>> stijn
>>
>> On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
>>> hi achim,
>>>
>>>> just to be sure: The output from both commands with the same
>>>> kerberos-config? Only the versions of Kerberos-libraries differ?
>>>
>>> the only difference on el7 is the
>>> "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
>>> (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
>>> works)
>>>
>>>> In both cases you have run sucessfully the kinit before and have a valid
>>>> TGT?
>>>
>>> kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
>>> without a valid TGT present (ie an empty cache). so the output is
>>> produced without a valid TGT present.
>>>
>>>
>>> stijn
>>>
>>>> Best Regards,
>>>> Achim
>>>>
>>>> On Monday 10 October 2016, Stijn De Weirdt wrote:
>>>>> hi all,
>>>>>
>>>>> following the example code in
>>>>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
>>>>> i manage to create and list the credentials on a system were no cache
>>>>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
>>>>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
>>>>>
>>>>> running with KRB5_TRACE=/dev/stdout, i get
>>>>>
>>>>>> using Name host/fqdn@REALM
>>>>>> Security context's time to live 74391 secs
>>>>>> seems everything is fine, type klist to see the ticket
>>>>>>
>>>>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
>>>>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
>>>>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
>>>>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408]
>>>>>> 1476125005.968609: Creating authenticator for host/fqdn@REALM ->
>>>>>> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session
>>>>>> key aes256-cts/BB8B
>>>>>
>>>>> and afterwards klist shows expected
>>>>>
>>>>> (fqdn and REALM are replaced)
>>>>>
>>>>>
>>>>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
>>>>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
>>>>> i get
>>>>>
>>>>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
>>>>>> server principal host/fqdn@REALM
>>>>>>
>>>>>> using Name host/fqdn@REALM
>>>>>>
>>>>>> Errors: Unspecified GSS failure. Minor code may provide more
>>>>>> information Credentials cache file '/tmp/krb5cc_0' not found
>>>>>> major 851968 minor 2529639107
>>>>>
>>>>> my question is: what GSSAPI and/or krb5 version is required to be able
>>>>> to create a credential cache where non-existed before?
>>>>>
>>>>> or can someone shed some light on the error above?
>>>>>
>>>>> many thanks,
>>>>>
>>>>> stijn
>>>>>
>>>>> -----------------------------------------------------------------------
>>>>> ---- --- Check out the vibrant tech community on one of the world's
>>>>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Perlgssapi-users mailing list
>>>>> Per...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>>
>>> -------------------------------------------------------------------------
>>> ----- Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Perlgssapi-users mailing list
>>> Per...@li...
>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>
>> ---------------------------------------------------------------------------
>> --- Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Perlgssapi-users mailing list
>> Per...@li...
>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X