Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Kea Kea
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 563
    • Issues 563
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 69
    • Merge requests 69
  • Deployments
    • Deployments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • KeaKea
  • Issues
  • #2247
Closed
Open
Issue created Dec 16, 2021 by Wlodzimierz Wencel@wlodekMaintainer

gss tsig usage of credentials-cache

While testing gss tsig hook I came upon one major issue all came down to configuring two values:

"client-keytab": "FILE:/etc/dhcp.keytab",
"credentials-cache": "FILE:/etc/ccache",

Tests are based on keytabs, and based on documentation and examples I had always those two values configured.

While I was running kea on root account (installed from tarball) having "credentials-cache" configured did NOT caused any problems, but while running Kea from _kea account (debian pkg) Kea failed to authenticate with an error:

BAD_CLIENT_CREDENTIALS bad client credentials: gss_acquire_cred failed with GSSAPI error: Major = 'Unspecified GSS failure.  Minor code may provide more information' (851968), Minor = 'Principal in credential cache does not match desired name' (39756032).

After discussing this with @razvan I learned that those two values can't be used together.

This have two ways forward:

  • update documentation and example files
  • the fact that from root account this configuration worked may be indicating underling issue, it should be investigated
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking