X2Go Bug report logs - #739
Kerberos cred delegation fails on Windows

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Michael DePaulo <mikedep333@gmail.com>

Date: Sun, 11 Jan 2015 17:20:02 UTC

Severity: normal

Tags: build-win32

Found in version 4.0.3.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#739; Package x2goclient. (Sun, 11 Jan 2015 17:20:02 GMT) (full text, mbox, link).

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 11 Jan 2015 17:20:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Michael DePaulo <mikedep333@gmail.com>
To: submit@bugs.x2go.org
Subject: "Connection failed" errors when using GSSAPI on Windows (PuTTY+Krb5)
Date: Sun, 11 Jan 2015 12:15:50 -0500
[Message part 1 (text/plain, inline)]
Package: x2goclient
Version: 4.0.3.1

Client OS: Windows 8.1 64-bit with all available updates

Server OS: Fedora 21 64-bit with most available updates
Server krb5 client: samba winbind 4.1.14-1.fc21
x2goagent: 3.5.0.28
x2goserver: 4.0.1.18
x2goserver-extensions: 4.0.1.18
x2goserver-xsession: 4.0.1.18 (with fix for #632 applied)

When I attempt to use GSSAPI authentication on Windows, with either
x2goclient 4.0.3.1-20141214 or x2goclient 4.0.3.2 development build
(2015-01-11 9363860), I see 2 error messages come up when I start a
new session on the aforementioned host:

Message 1:

Connection failed : cp: missing destination file operand after
'/home/DEPAULO/mike/.x2go/C-mike-50-1420995172_stDMATE_dp32/krb5cc'
Try 'cp --help' for more information

Message 2:

Connection failed pscp: unable to open
/home/mike/.x2go/ssh/key.Hp6896: no such file or directory

Message 1 is on top of message 2.

If I reconnect to a session, I only receive message #2.

Under both versions of x2goclient, the X2go Session appears to start
successfully. e.g., I see my mate desktop launch. And I can actually
interact with it.

However, whenever I connect with 4.0.3.1-20141214, as soon as I
dismiss error message #2, x2goclient terminates entirely.

On 4.0.3.2, these error messages are harmless (but annoying.)

I've attached the log from the 4.0.3.2 development build (2015-01-11 9363860).

I've also attached the server's samba configuration.

[4.0.3.2 2015-01-11 9363860 log.txt (text/plain, attachment)]
[samba configuration.txt (text/plain, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#739; Package x2goclient. (Mon, 12 Jan 2015 04:30:01 GMT) (full text, mbox, link).

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 12 Jan 2015 04:30:03 GMT) (full text, mbox, link).

Message #10 received at 739@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Michael DePaulo <mikedep333@gmail.com>, 739@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#739: "Connection failed" errors when using GSSAPI on Windows (PuTTY+Krb5)
Date: Mon, 12 Jan 2015 04:25:06 +0000
[Message part 1 (text/plain, inline)]
Control: tag -1 build-win32
Control: retitle -1 Kerberos cred delegation fails on Windows
Control: retitle #731 Kerbers cred delegation fails on Linux

HI Michael,

On  So 11 Jan 2015 18:15:50 CET, Michael DePaulo wrote:

> Package: x2goclient
> Version: 4.0.3.1
>
> Client OS: Windows 8.1 64-bit with all available updates
>
> Server OS: Fedora 21 64-bit with most available updates
> Server krb5 client: samba winbind 4.1.14-1.fc21
> x2goagent: 3.5.0.28
> x2goserver: 4.0.1.18
> x2goserver-extensions: 4.0.1.18
> x2goserver-xsession: 4.0.1.18 (with fix for #632 applied)
>
> When I attempt to use GSSAPI authentication on Windows, with either
> x2goclient 4.0.3.1-20141214 or x2goclient 4.0.3.2 development build
> (2015-01-11 9363860), I see 2 error messages come up when I start a
> new session on the aforementioned host:
>
> Message 1:
>
> Connection failed : cp: missing destination file operand after
> '/home/DEPAULO/mike/.x2go/C-mike-50-1420995172_stDMATE_dp32/krb5cc'
> Try 'cp --help' for more information
>
> Message 2:
>
> Connection failed pscp: unable to open
> /home/mike/.x2go/ssh/key.Hp6896: no such file or directory
>
> Message 1 is on top of message 2.
>
> If I reconnect to a session, I only receive message #2.
>
> Under both versions of x2goclient, the X2go Session appears to start
> successfully. e.g., I see my mate desktop launch. And I can actually
> interact with it.
>
> However, whenever I connect with 4.0.3.1-20141214, as soon as I
> dismiss error message #2, x2goclient terminates entirely.
>
> On 4.0.3.2, these error messages are harmless (but annoying.)
>
> I've attached the log from the 4.0.3.2 development build (2015-01-11  
> 9363860).
>
> I've also attached the server's samba configuration.

This (for Windows version of X2Go Client) seems like the pendant to  
#731 (Linux version of X2Go Client).

Your observed error means that Kerberos credentials delegation fails  
on Windows.

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Added tag(s) build-win32. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 739-submit@bugs.x2go.org. (Mon, 12 Jan 2015 04:30:05 GMT) (full text, mbox, link).

Changed Bug title to 'Kerberos cred delegation fails on Windows' from '"Connection failed" errors when using GSSAPI on Windows (PuTTY+Krb5)' Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 739-submit@bugs.x2go.org. (Mon, 12 Jan 2015 04:30:05 GMT) (full text, mbox, link).

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#739; Package x2goclient. (Mon, 19 Aug 2019 14:30:02 GMT) (full text, mbox, link).

Acknowledgement sent to Frank Lenaerts <frank.lenaerts@sckcen.be>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 19 Aug 2019 14:30:02 GMT) (full text, mbox, link).

Message #19 received at 739@bugs.x2go.org (full text, mbox, reply):

From: Frank Lenaerts <frank.lenaerts@sckcen.be>
To: <739@bugs.x2go.org>
Subject: Kerberos credential delegation on Windows
Date: Mon, 19 Aug 2019 16:28:43 +0200
Hi

I also encountered this issue and found out that Windows' GSSAPI
library checks if the target server can be trusted before delegating
tickets to it. If you trust the target system, tickets can be
forwarded to it and things work as expected. Note that ssh(1) on Linux
doesn't do this check i.o.w. using ssh(1)'s -K option just works.

To configure this:

"AD Users and Computers" > search the target host > properties >
Delegation tab > Trust...

-- 
Kind regards

Frank Lenaerts

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 12:11:23 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.