Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kerberos keytab doens't load, KRB auth fails with 4.1.4 and irods-auth-plugin-krb-1.2 #2848

Closed
ilarik opened this issue Aug 24, 2015 · 1 comment
Closed

Kerberos keytab doens't load, KRB auth fails with 4.1.4 and irods-auth-plugin-krb-1.2 #2848

ilarik opened this issue Aug 24, 2015 · 1 comment
Assignees
@jasoncoposky
Labels
resolved/invalid
Milestone
4.2.0

Comments

@ilarik
Copy link
Contributor

ilarik commented Aug 24, 2015

It appears that Kerberos authentication doesn't work out-of-the-box with 4.1.x even with the latest release 4.1.4 and irods-auth-plugin-krb-1.2, which I built from the github repo.

Using the settings instructed in docs.irods.org I get the following message client-side

Level 0: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure.  Minor code may provide more information

Level 1: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: 

[-] libkrb.cpp:1194:krb_auth_client_request :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message [call to rcAuthRequest failed.]

 failed with error -965000 KRB_ERROR_ACQUIRING_CREDS

and in serverside rodsLog the following

Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure.  Minor code may provide more information
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: 
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message []
    [-] libkrb.cpp:1237:krb_auth_agent_request :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message [Setting up KRB credentials failed.]
        [-] libkrb.cpp:220:krb_setup_creds :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message [Failed acquiring credentials.]

Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Invalid token was supplied
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Unknown error
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/core/src/rodsAgent.cpp:346:agentMain :  status [KRB_ACCEPT_SEC_CONTEXT_ERROR]  errno [] -- message [Failed during auth plugin agent start for scheme: "krb".]
    [-] libkrb.cpp:892:krb_auth_agent_start :  status [KRB_ACCEPT_SEC_CONTEXT_ERROR]  errno [] -- message [Failed to establish server side context.]
        [-] libkrb.cpp:783:krb_establish_context_serverside :  status [KRB_ACCEPT_SEC_CONTEXT_ERROR]  errno [] -- message [Error accepting KRB security context for client: "(null)".]

When digging into the Kerberos auth module source code and the workings of the Kerberos client side GSSAPI library, the reason appeared to be that GSS API wasn't provided a Kerberos keytab.

I managed to go around the issue by setting an environment variable KRB5_KTNAME in the server to point the keytab. This variable is used by the GSS API Kerberos library to force the loading of a specified keytab file. This works for me.
@jasoncoposky jasoncoposky mentioned this issue Aug 26, 2015
Closed
@jasoncoposky
Copy link
Member

closing, referenced from the Kerberos repository.

@trel trel added this to the 4.2.0 milestone May 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasoncoposky jasoncoposky

Labels
resolved/invalid
Milestone
4.2.0
Development

No branches or pull requests
3 participants
@trel @jasoncoposky @ilarik