Return-Path: Received: from PCH.mit.edu (PCH.MIT.EDU [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id 03E983F837; Thu, 24 Dec 2015 00:21:42 -0500 (EST) Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id tBO5LfHV029444; Thu, 24 Dec 2015 00:21:41 -0500 Received: from mailhub-dmz-1.mit.edu (mailhub-dmz-1.mit.edu [18.9.21.41]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id tBO003JI013382 for ; Wed, 23 Dec 2015 19:00:03 -0500 Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id tBNNxwXT004537 for ; Wed, 23 Dec 2015 19:00:03 -0500 X-Auditid: 1209190c-f79c96d00000038e-33-567b35823346 Authentication-Results: symauth.service.identifier Received: from haven.eyrie.org (haven.eyrie.org [166.84.7.159]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 47.C5.00910.3853B765; Wed, 23 Dec 2015 19:00:03 -0500 (EST) Received: from lothlorien.eyrie.org (unknown [96.90.234.101]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by haven.eyrie.org (Postfix) with ESMTPS id 46EAC11842D for ; Wed, 23 Dec 2015 16:00:01 -0800 (PST) Received: by lothlorien.eyrie.org (Postfix, from userid 1000) id 81298B4156B; Wed, 23 Dec 2015 15:59:59 -0800 (PST) From: Russ Allbery To: krb5-bugs@mit.edu Subject: gss_init_sec_context w/host@ fails with anonymous tickets Organization: The Eyrie User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) Date: Wed, 23 Dec 2015 15:59:59 -0800 Message-ID: <877fk4pvgg.fsf@hope.eyrie.org> MIME-Version: 1.0 Content-Type: text/plain X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrEIsWRWlGSWpSXmKPExsWyLIR9vm6zaXWYwe/n0hYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CV8XLyPOaCP0IVC5b2sTQwbhXoYuTkkBAwkdj85iA7iM0oYCSx +9wrVoi4mMSFe+vZuhi5OIQE1jJJTNrRyQzhzGKSOHX0LVCGA8gplfjczAvSwCagIrHmxlwm EFtEQFTi5d9jLCAlwgI+Er0rVUHC/ALiEvv3NzOD2KIClhL3+u6ygdgsAqoSp34dAtvLK6At MXv1HUYIW1Di5MwnLCA2s4CExMEXL5gnMPLPQpKahSS1gJFpFaNsSm6Vbm5iZk5xarJucXJi Xl5qka6hXm5miV5qSukmRmCACXFK8uxgfHNQ6RCjAAejEg+vxK2qMCHWxLLiytxDjJIcTEqi vP0S1WFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHj//gUq501JrKxKLcqHSUlzsCiJ88794hsm JJCeWJKanZpakFoEk2XiYD/EKMPBoSTBG24CNFmwKDU9tSItM6cEWQ0niOACWcMDtCbPGKiQ t7ggMbc4Mx2i6BSjopQ4rxbIBAGQREZpHtwAWFK4xCgrJczLyMDAIMQDdAHQ46jyrxjFgZ4W 5m0CmcKTmVcCN/0V0GImoMV/1pWDLC5JREhJNTB2FAYETJgrXzmra3ZBoVrbnOtOwrUid6sr mFLaz+fFmjzIyZyYaGrmtWPf/eOPF0l69QSdMW7MN6rYy7HTyXdp+SGbc+/XX7Wc/9R3ptCE k3fWXWxY/OdHT/SeZac8zq9ba9Dc//nQXoHeHdeOJ/3+9OGF4dOVrp4zj93M33PuRMHeA3o8 O9JOKbEUZyQaajEXFScCADbAnj8FAwAA X-Mailman-Approved-At: Thu, 24 Dec 2015 00:21:40 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 2391 Given a Kerberos KDC configured to issue anonymous service tickets, a client with an anonymous TGT (obtained with kinit -n) fails in gss_init_sec_context when trying to authenticate to a host in the default local realm when gss_import_name is called with "host@" as the name. If gss_import_name is called with "host/" instead, this works correctly. KRB5_TRACE says: [82592] 1450814219.510525: ccselect can't find appropriate cache for server principal host/dfw3b-rm1-1b.sjc.dropbox.com@ [82592] 1450814219.510698: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ using ccache FILE:/tmp/krb5cc_1214 [82592] 1450814219.510824: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found [82592] 1450814219.510914: Retrying WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@WELLKNOWN:ANONYMOUS with result: -1765328243/Matching credential not found [82592] 1450814219.510926: Server has referral realm; starting with host/dfw3b-rm1-1b.sjc.dropbox.com@WELLKNOWN:ANONYMOUS [82592] 1450814219.511006: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found so it looks like what's happening is that the service ticket lookup code is getting very confused by the @WELLKNOWN:ANONYMOUS realm instead of falling back on using the local realm to get service tickets. I'm not sure why this suddenly starts working with the host/ form of name instead, although my guess is that the local default realm is automatically appended to that Kerberos principal name and that somehow unconfuses the service ticket fetch algorithm. This behavior was seen using remctl 3.10 as the client and server, in case there are any pecularities of how it calls GSS-API that are relevant. (Both available from .) The user-visible error was: $ kinit -n $ remctl dfw3b-rm1-1b.sjc.dropbox.com bootstrap help remctl: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Matching credential not found -- Russ Allbery (eagle@eyrie.org)