[14616] in Kerberos
Re: kpasswd fails with multiple realms
daemon@ATHENA.MIT.EDU (Donn Cave)
Mon Jul 2 14:04:38 2001
From: Donn Cave <donn@u.washington.edu>
Date: 2 Jul 2001 17:47:02 GMT
Message-ID: <9hqc2m$a2c$1@nntp6.u.washington.edu>
To: kerberos@MIT.EDU
Quoth Richard.Jamieson@db.com (Rich Jamieson):
| Looks like this one has been seen before - so I get the feeling that
| there is a patch out there somewhere. (search google for
| "kpasswd_server David Wragg").
| Im using MIT, krb5-1.2.2 on Solaris 2.8.
|
| Ive setup multiple realms on the same server.
| The problem is that kpasswd will not work for both realms.
| kpasswd works with one of the realms, but not the other.
I don't know about a patch, but along with
admin_server = server1.rich.com:720
you might try
kpasswd_server = server1.rich.com:454
That number picked at random, check for something that isn't the
one kadmind has already bound (464?) and isn't otherwise in use.
It's a distinct service, so it has to be on a different port
from "admin_server". Don't know if you can get kadmind to respect
this, but at least the client will. DNS fallback should also work,
SRV record _kpasswd._udp.RJUSERS.RICH.COM port 454.
Donn Cave, donn@u.washington.edu
----------------------------------------
| The error message I get is:
|
| kpasswd rjusers/admin@RJUSERS.RICH.COM
| Password for rjusers/admin@RJUSERS.RICH.COM:
| Enter new password:
| Enter it again:
| Authentication error: Failed reading application request
|
|
| -----
|
| My krb5.conf is:
| [libdefaults]
| ticket_lifetime = 600
| default_realm = RJUSERS.RICH.COM
| default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
| default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
|
| [realms]
|
| RJHOSTS.RICH.COM = {
| kdc = server1.rich.com:88
| admin_server = server1.rich.com:740
| }
|
| RJUSERS.RICH.COM = {
| kdc = server1.rich.com:88
| admin_server = server1.rich.com:720
| }
|
|
| [domain_realm]
| .wks.rich.com = RJUSERS.RICH.COM
| .srv.rich.com = RJHOSTS.RICH.COM
|
| [logging]
| kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
| admin_server = FILE:/opt/MITkrb5/log/kadmin.log
| default = FILE:/opt/MITkrb5/log/krb5lib.log
|
| ------
|
| My kdc.conf is:
| [kdcdefaults]
| kdc_ports = 88
|
| [realms]
|
| RJHOSTS.RICH.COM = {
| profile = /opt/MITkrb5/etc/krb5.conf
| database_name =
| /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/principal
| admin_keytab =
| /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.keytab
| acl_file = /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.acl
| dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
| key_stash_file =
| /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/.k5stash
| kadmind_port = 740
| max_life = 10h 0m 0s
| max_renewable_life = 7d 0h 0m 0s
| master_key_type = des3-hmac-sha1
| supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
| des-cbc-crc:v4
| kdc_supported_enctypes = des3-hmac-sha1:normal
| des-cbc-crc:normal des-cbc-crc:v4
| }
|
| RJUSERS.RICH.COM = {
| database_name =
| /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/principal
| admin_keytab =
| /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.keytab
| acl_file = /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.acl
| dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
| key_stash_file =
| /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/.k5stash
| kadmind_port = 720
| max_life = 10h 0m 0s
| max_renewable_life = 7d 0h 0m 0s
| master_key_type = des3-hmac-sha1
| supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
| des-cbc-crc:v4
| kdc_supported_enctypes = des3-hmac-sha1:normal
| des-cbc-crc:normal des-cbc-crc:v4
| }
|
| [logging]
| kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
| admin_server = FILE:/opt/MITkrb5/log/kadmin.log
| default = FILE:/opt/MITkrb5/log/krb5lib.log
|
| ----
| The relevant processes are:
| ps -ef | grep MIT
| root 4644 1 0 16:32:18 ? 0:00
| /opt/MITkrb5/sbin/krb5kdc -r RJHOSTS.RICH.COM -r RJUSERS.RICH.COM
| root 4647 1 0 16:32:29 ? 0:00
| /opt/MITkrb5/sbin/kadmind -r -port 720
| root 4649 1 0 16:32:42 ? 0:00
| /opt/MITkrb5/sbin/kadmind -r RJHOSTS.RICH.COM -port 740
|
| Note:
| If I start up the "RJUSERS.RICH.COM" kadmind first, then kpasswd
| will work for that realm but not the "RJHOSTS.RICH.COM" realm.
|
| If I start up the "RJHOSTS.RICH.COM" kadmind first, then kpasswd
| will work for that realm but not the "RJUSERS.RICH.COM" realm.
|
| -----------------------------
|
| "man kpasswd" (and nowhere else that I can see) mentions a
| "kpasswd_server = host:port" entry in the krb5.conf file.
| If I add a pair of these entries my kapsswd command for both realms
| justs hangs.
| eg:
| "kpasswd_server = server1.rich.com:740" { for RJHOSTS }
| and "kpasswd_server = server1.rich.com:720" { for RJUSERS }
|
| ---------
|
| My /etc/services file contains:
| grep -i ker /etc/services
|
| klogin 543/tcp # Kerberos
| authenticated rlogin
| kshell 544/tcp cmd # Kerberos
| authenticated remote shell
| RJUSERS-kerberos-adm 720/tcp # Kerberos V5
| Administration
| RJUSERS-kerberos-adm 720/udp # Kerberos V5
| Administration
| RJHOSTS-kerberos-adm 740/tcp # Kerberos V5
| Administration
| RJHOSTS-kerberos-adm 740/udp # Kerberos V5
| Administration
| kerberos 750/udp kdc # Kerberos key server
| kerberos 750/tcp kdc # Kerberos key server
| kerberos-sec 88/udp kdc # MIT V5 Kerberos key
| server
| kerberos-sec 88/tcp kdc # MIT V5 Kerberos key
| server
| krb524 4444/tcp # MIT Kerberos 5 to 4
| ticket translator
| krb5_prop 754/tcp # Kerberos V5 KDC
| propogation
| eklogin 2105/tcp # Kerberos encrypted
| rlogin
|
| -----------------
|
|
| As I say, I think this has been seen before.
| Does anyone know where I can get a patch ?
|
| regards
|
| Richard Jamieson.
