gss tsig usage of credentials-cache
While testing gss tsig hook I came upon one major issue all came down to configuring two values:
"client-keytab": "FILE:/etc/dhcp.keytab", "credentials-cache": "FILE:/etc/ccache",
Tests are based on keytabs, and based on documentation and examples I had always those two values configured.
While I was running kea on root account (installed from tarball) having "credentials-cache" configured did NOT caused any problems, but while running Kea from
_kea account (debian pkg) Kea failed to authenticate with an error:
BAD_CLIENT_CREDENTIALS bad client credentials: gss_acquire_cred failed with GSSAPI error: Major = 'Unspecified GSS failure. Minor code may provide more information' (851968), Minor = 'Principal in credential cache does not match desired name' (39756032).
After discussing this with @razvan I learned that those two values can't be used together.
This have two ways forward:
- update documentation and example files
- the fact that from root account this configuration worked may be indicating underling issue, it should be investigated