From nobody@FreeBSD.org  Tue Nov  6 15:02:09 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 71AD616A419
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  6 Nov 2007 15:02:09 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4BD3213C4D5
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  6 Nov 2007 15:02:09 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id lA6F1tUj013891
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 6 Nov 2007 15:01:55 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id lA6F1tDi013890;
	Tue, 6 Nov 2007 15:01:55 GMT
	(envelope-from nobody)
Message-Id: <200711061501.lA6F1tDi013890@www.freebsd.org>
Date: Tue, 6 Nov 2007 15:01:55 GMT
From: Nathan Whitehorn <whitehorn@wisc.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [heimdal] kinit generates bad tickets on multihomed IPv6 hosts
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         117867
>Category:       kern
>Synopsis:       [heimdal] kinit generates bad tickets on multihomed IPv6 hosts - may need to update krb
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 06 15:10:01 UTC 2007
>Closed-Date:    
>Last-Modified:  Wed Jun 01 20:41:23 UTC 2011
>Originator:     Nathan Whitehorn
>Release:        7.0-CURRENT
>Organization:
University of Wisconsin
>Environment:
FreeBSD banshee.munuc.org 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Mon Oct  8 14:34:11 CDT 2007     root@munuc.org:/usr/obj/usr/src/sys/X2100  amd64
>Description:
On systems with multiple IPv6 interfaces, kerberos tickets with addresses in them are not accepted by other hosts, with the following error:

[nwhitehorn@banshee ~]$ telnet tiburon   
Trying 2001:4830:151a:d610:20f:b5ff:fefb:4219...
Connected to tiburon.munuc.org.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/tiburon.munuc.org@MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]
[ Trying KERBEROS5 (host/tiburon.munuc.org@MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]

(This also happens if I connect over IPv4)

My tickets look like this:

[nwhitehorn@banshee ~]$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: nwhitehorn@MUNUC.ORG
    Cache version: 4

Server: krbtgt/MUNUC.ORG@MUNUC.ORG
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Nov  6 08:54:32 2007
End time:   Nov  6 18:54:32 2007
Renew till: Nov 13 08:54:32 2007
Ticket flags: renewable, initial
Addresses: IPv4:10.0.10.1, IPv6:2001:4830:151a:d610::1, IPv4:128.135.214.27, IPv4:128.135.214.16, IPv6:2001:4830:151a:d600::d610

I have also experienced this problem on a machine running FreeBSD/arm 7.0-CURRENT, one running FreeBSD/i386 5.5-STABLE, and one running 8.0-CURRENT on i386.
>How-To-Repeat:
Try to use kerberos tickets obtained on a multihomed IPv6 host.
>Fix:
Acquire the tickets with kinit --no-addresses.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kmacy 
Responsible-Changed-By: kmacy 
Responsible-Changed-When: Fri Nov 16 20:53:07 UTC 2007 
Responsible-Changed-Why:  

I need to cross-reference this with the kth kerberos bug database to see if this 
has been fixed there. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=117867 
Responsible-Changed-From-To: kmacy->freebsd-bugs 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Wed Jun 1 20:35:23 UTC 2011 
Responsible-Changed-Why:  
kmacy has asked for all of his PRs to be reassigned, put back into the 
pool. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=117867 
>Unformatted:
