You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that Kerberos authentication doesn't work out-of-the-box with 4.1.x even with the latest release 4.1.4 and irods-auth-plugin-krb-1.2, which I built from the github repo.
Using the settings instructed in docs.irods.org I get the following message client-side
Level 0: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure. Minor code may provide more information
Level 1: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.:
[-] libkrb.cpp:1194:krb_auth_client_request : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message [call to rcAuthRequest failed.]
failed with error -965000 KRB_ERROR_ACQUIRING_CREDS
and in serverside rodsLog the following
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure. Minor code may provide more information
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.:
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message []
[-] libkrb.cpp:1237:krb_auth_agent_request : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message [Setting up KRB credentials failed.]
[-] libkrb.cpp:220:krb_setup_creds : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message [Failed acquiring credentials.]
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Invalid token was supplied
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Unknown error
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/core/src/rodsAgent.cpp:346:agentMain : status [KRB_ACCEPT_SEC_CONTEXT_ERROR] errno [] -- message [Failed during auth plugin agent start for scheme: "krb".]
[-] libkrb.cpp:892:krb_auth_agent_start : status [KRB_ACCEPT_SEC_CONTEXT_ERROR] errno [] -- message [Failed to establish server side context.]
[-] libkrb.cpp:783:krb_establish_context_serverside : status [KRB_ACCEPT_SEC_CONTEXT_ERROR] errno [] -- message [Error accepting KRB security context for client: "(null)".]
When digging into the Kerberos auth module source code and the workings of the Kerberos client side GSSAPI library, the reason appeared to be that GSS API wasn't provided a Kerberos keytab.
I managed to go around the issue by setting an environment variable KRB5_KTNAME in the server to point the keytab. This variable is used by the GSS API Kerberos library to force the loading of a specified keytab file. This works for me.
The text was updated successfully, but these errors were encountered:
It appears that Kerberos authentication doesn't work out-of-the-box with 4.1.x even with the latest release 4.1.4 and irods-auth-plugin-krb-1.2, which I built from the github repo.
Using the settings instructed in docs.irods.org I get the following message client-side
and in serverside rodsLog the following
When digging into the Kerberos auth module source code and the workings of the Kerberos client side GSSAPI library, the reason appeared to be that GSS API wasn't provided a Kerberos keytab.
I managed to go around the issue by setting an environment variable
KRB5_KTNAME
in the server to point the keytab. This variable is used by the GSS API Kerberos library to force the loading of a specified keytab file. This works for me.The text was updated successfully, but these errors were encountered: