Skip to content
GitLab
Closed
Issue created by Wlodzimierz Wencel@wlodekMaintainer

gss tsig usage of credentials-cache

While testing gss tsig hook I came upon one major issue all came down to configuring two values:

"client-keytab": "FILE:/etc/dhcp.keytab",
"credentials-cache": "FILE:/etc/ccache",

Tests are based on keytabs, and based on documentation and examples I had always those two values configured.

While I was running kea on root account (installed from tarball) having "credentials-cache" configured did NOT caused any problems, but while running Kea from _kea account (debian pkg) Kea failed to authenticate with an error:

BAD_CLIENT_CREDENTIALS bad client credentials: gss_acquire_cred failed with GSSAPI error: Major = 'Unspecified GSS failure.  Minor code may provide more information' (851968), Minor = 'Principal in credential cache does not match desired name' (39756032).

After discussing this with @razvan I learned that those two values can't be used together.

This have two ways forward:

  • update documentation and example files
  • the fact that from root account this configuration worked may be indicating underling issue, it should be investigated
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information