[14614] in Kerberos

home help back first fref pref prev next nref lref last post

kpasswd fails with multiple realms

daemon@ATHENA.MIT.EDU (Rich Jamieson)
Mon Jul 2 12:06:30 2001

From: Richard.Jamieson@db.com (Rich Jamieson)
Date: 2 Jul 2001 08:47:24 -0700
Message-ID: <2a497a.0107020747.3419a188@posting.google.com>
To: kerberos@MIT.EDU

Looks like this one has been seen before - so I get the feeling that
there is a patch out there somewhere. (search google for
"kpasswd_server David Wragg").
Im using MIT, krb5-1.2.2 on Solaris 2.8.

Ive setup multiple realms on the same server.
The problem is that kpasswd will not work for both realms.
kpasswd works with one of the realms, but not the other.

----

The error message I get is:

kpasswd rjusers/admin@RJUSERS.RICH.COM
Password for rjusers/admin@RJUSERS.RICH.COM:
Enter new password:
Enter it again:
Authentication error: Failed reading application request


-----

My krb5.conf is:
[libdefaults]
    ticket_lifetime = 600
    default_realm = RJUSERS.RICH.COM
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

    RJHOSTS.RICH.COM = {
        kdc = server1.rich.com:88
        admin_server = server1.rich.com:740
    }

    RJUSERS.RICH.COM = {
        kdc = server1.rich.com:88
        admin_server = server1.rich.com:720
    }


[domain_realm]
    .wks.rich.com = RJUSERS.RICH.COM
    .srv.rich.com = RJHOSTS.RICH.COM

[logging]
    kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
    admin_server = FILE:/opt/MITkrb5/log/kadmin.log
    default = FILE:/opt/MITkrb5/log/krb5lib.log

------

My kdc.conf is:
[kdcdefaults]
    kdc_ports = 88

[realms]

    RJHOSTS.RICH.COM = {
        profile = /opt/MITkrb5/etc/krb5.conf
        database_name =
/opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/principal
        admin_keytab =
/opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.keytab
        acl_file = /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.acl
        dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
        key_stash_file =
/opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/.k5stash
        kadmind_port = 740
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4
        kdc_supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des-cbc-crc:v4
    }

    RJUSERS.RICH.COM = {
        database_name =
/opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/principal
        admin_keytab =
/opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.keytab
        acl_file = /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.acl
        dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
        key_stash_file =
/opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/.k5stash
        kadmind_port = 720
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4
        kdc_supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des-cbc-crc:v4
    }

[logging]
    kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
    admin_server = FILE:/opt/MITkrb5/log/kadmin.log
    default = FILE:/opt/MITkrb5/log/krb5lib.log

----
The relevant processes are:
ps -ef | grep MIT
    root  4644     1  0 16:32:18 ?        0:00
/opt/MITkrb5/sbin/krb5kdc -r RJHOSTS.RICH.COM -r RJUSERS.RICH.COM
    root  4647     1  0 16:32:29 ?        0:00
/opt/MITkrb5/sbin/kadmind -r  -port 720
    root  4649     1  0 16:32:42 ?        0:00
/opt/MITkrb5/sbin/kadmind -r RJHOSTS.RICH.COM -port 740

Note: 
    If I start up the "RJUSERS.RICH.COM" kadmind first, then kpasswd
will work for that realm but not the "RJHOSTS.RICH.COM" realm.

    If I start up the "RJHOSTS.RICH.COM" kadmind first, then kpasswd
will work for that realm but not the "RJUSERS.RICH.COM" realm.

-----------------------------

"man kpasswd" (and nowhere else that I can see) mentions a 
"kpasswd_server =  host:port" entry in the krb5.conf file.
If I add a pair of these entries my kapsswd command for both realms
justs hangs.
eg:
      "kpasswd_server = server1.rich.com:740"   { for RJHOSTS }
  and "kpasswd_server = server1.rich.com:720"   { for RJUSERS }

---------

My /etc/services file contains:
grep -i ker /etc/services

klogin          543/tcp                         # Kerberos
authenticated rlogin
kshell          544/tcp         cmd             # Kerberos
authenticated remote shell
RJUSERS-kerberos-adm    720/tcp                         # Kerberos V5
Administration
RJUSERS-kerberos-adm    720/udp                         # Kerberos V5
Administration
RJHOSTS-kerberos-adm    740/tcp                         # Kerberos V5
Administration
RJHOSTS-kerberos-adm    740/udp                         # Kerberos V5
Administration
kerberos        750/udp         kdc             # Kerberos key server
kerberos        750/tcp         kdc             # Kerberos key server
kerberos-sec    88/udp          kdc             # MIT V5 Kerberos key
server
kerberos-sec    88/tcp          kdc             # MIT V5 Kerberos key
server
krb524          4444/tcp                        # MIT Kerberos 5 to 4
ticket translator
krb5_prop       754/tcp                         # Kerberos V5 KDC
propogation
eklogin         2105/tcp                        # Kerberos encrypted
rlogin

-----------------


As I say, I think this has been seen before.
Does anyone know where I can get a patch ?

regards

Richard Jamieson.
home help back first fref pref prev next nref lref last post