[14619] in Kerberos
Re: kpasswd fails with multiple realms
daemon@ATHENA.MIT.EDU (Rich Jamieson)
Wed Jul 4 14:05:55 2001
From: Richard.Jamieson@db.com (Rich Jamieson)
Date: 4 Jul 2001 10:52:57 -0700
Message-ID: <2a497a.0107040952.236bc350@posting.google.com>
To: kerberos@MIT.EDU
OK - think Im getting somewhere - found a couple of workarounds anyway.
Problem seems to be that kadmind always uses port 464 for password changing.
It hard coded - I think.
True, you can set (eg: )
kpasswd_server = myserver:465
in krb5.conf.
This will make kpasswd look on port 465 for the password changing service.
However this doesnt do any good if you cant get your kadmind to "look" on
port 465. The command will just hang then time out.
Ive found two workarounds
a) Use kadmin to change the password
This doesnt use the "password service" port (default 464).
It uses the port specified by "admin_server" in krb5.conf (eg: 749).
you can fiddle with k5adm.acl to make sure that users can only change
their own passwords.
Agree - this is a bit shabby !
b) create another kadmind binary that uses a different port (say 465) for
its password service.
i) Change line in include/krb5/stock/osconf.h
to:
#define DEFAULT_KPASSWD_PORT 465
ii) rebuild binaries etc.
iii) Copy the new kadmind to kadmind.465
iv) Now you can run
kadmind -r REALM1.COM -port 740
kadmin.465 -r REALM2.COM -port 720
v) Make sure your realm emtries in krb5.conf have the relevant
kpasswd_server entry, eg:
REALM1.COM
admin_server = servername:740
kpasswd_server = servername:464
REALM2.COM
admin_server = servername:720
kpasswd_server = servername:465
Agree this is also a bit shabby :) - but possibly better than option (a)
--------
OK - both of these options work - but I guess if I was a programmer I could
come up with a more elegant solution.
Ideally I guess we'd want kadmind to look at the kpasswd_server entry in
krb5.conf ?
If anyone has a better fix (or can code one now), please could you send me a
copy ?
Can anyone confirm that this is a bug - should I report it or something ?
Richard J
Donn Cave <donn@u.washington.edu> wrote in message news:<9hqc2m$a2c$1@nntp6.u.washington.edu>...
> Quoth Richard.Jamieson@db.com (Rich Jamieson):
> | Looks like this one has been seen before - so I get the feeling that
> | there is a patch out there somewhere. (search google for
> | "kpasswd_server David Wragg").
> | Im using MIT, krb5-1.2.2 on Solaris 2.8.
> |
> | Ive setup multiple realms on the same server.
> | The problem is that kpasswd will not work for both realms.
> | kpasswd works with one of the realms, but not the other.
>
> I don't know about a patch, but along with
>
> admin_server = server1.rich.com:720
>
> you might try
>
> kpasswd_server = server1.rich.com:454
>
> That number picked at random, check for something that isn't the
> one kadmind has already bound (464?) and isn't otherwise in use.
> It's a distinct service, so it has to be on a different port
> from "admin_server". Don't know if you can get kadmind to respect
> this, but at least the client will. DNS fallback should also work,
> SRV record _kpasswd._udp.RJUSERS.RICH.COM port 454.
>
> Donn Cave, donn@u.washington.edu
> ----------------------------------------
> | The error message I get is:
> |
> | kpasswd rjusers/admin@RJUSERS.RICH.COM
> | Password for rjusers/admin@RJUSERS.RICH.COM:
> | Enter new password:
> | Enter it again:
> | Authentication error: Failed reading application request
> |
> |
> | -----
> |
> | My krb5.conf is:
> | [libdefaults]
> | ticket_lifetime = 600
> | default_realm = RJUSERS.RICH.COM
> | default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> | default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> |
> | [realms]
> |
> | RJHOSTS.RICH.COM = {
> | kdc = server1.rich.com:88
> | admin_server = server1.rich.com:740
> | }
> |
> | RJUSERS.RICH.COM = {
> | kdc = server1.rich.com:88
> | admin_server = server1.rich.com:720
> | }
> |
> |
> | [domain_realm]
> | .wks.rich.com = RJUSERS.RICH.COM
> | .srv.rich.com = RJHOSTS.RICH.COM
> |
> | [logging]
> | kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
> | admin_server = FILE:/opt/MITkrb5/log/kadmin.log
> | default = FILE:/opt/MITkrb5/log/krb5lib.log
> |
> | ------
> |
> | My kdc.conf is:
> | [kdcdefaults]
> | kdc_ports = 88
> |
> | [realms]
> |
> | RJHOSTS.RICH.COM = {
> | profile = /opt/MITkrb5/etc/krb5.conf
> | database_name =
> | /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/principal
> | admin_keytab =
> | /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.keytab
> | acl_file = /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.acl
> | dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
> | key_stash_file =
> | /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/.k5stash
> | kadmind_port = 740
> | max_life = 10h 0m 0s
> | max_renewable_life = 7d 0h 0m 0s
> | master_key_type = des3-hmac-sha1
> | supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> | des-cbc-crc:v4
> | kdc_supported_enctypes = des3-hmac-sha1:normal
> | des-cbc-crc:normal des-cbc-crc:v4
> | }
> |
> | RJUSERS.RICH.COM = {
> | database_name =
> | /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/principal
> | admin_keytab =
> | /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.keytab
> | acl_file = /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.acl
> | dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
> | key_stash_file =
> | /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/.k5stash
> | kadmind_port = 720
> | max_life = 10h 0m 0s
> | max_renewable_life = 7d 0h 0m 0s
> | master_key_type = des3-hmac-sha1
> | supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> | des-cbc-crc:v4
> | kdc_supported_enctypes = des3-hmac-sha1:normal
> | des-cbc-crc:normal des-cbc-crc:v4
> | }
> |
> | [logging]
> | kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
> | admin_server = FILE:/opt/MITkrb5/log/kadmin.log
> | default = FILE:/opt/MITkrb5/log/krb5lib.log
> |
> | ----
> | The relevant processes are:
> | ps -ef | grep MIT
> | root 4644 1 0 16:32:18 ? 0:00
> | /opt/MITkrb5/sbin/krb5kdc -r RJHOSTS.RICH.COM -r RJUSERS.RICH.COM
> | root 4647 1 0 16:32:29 ? 0:00
> | /opt/MITkrb5/sbin/kadmind -r -port 720
> | root 4649 1 0 16:32:42 ? 0:00
> | /opt/MITkrb5/sbin/kadmind -r RJHOSTS.RICH.COM -port 740
> |
> | Note:
> | If I start up the "RJUSERS.RICH.COM" kadmind first, then kpasswd
> | will work for that realm but not the "RJHOSTS.RICH.COM" realm.
> |
> | If I start up the "RJHOSTS.RICH.COM" kadmind first, then kpasswd
> | will work for that realm but not the "RJUSERS.RICH.COM" realm.
> |
> | -----------------------------
> |
> | "man kpasswd" (and nowhere else that I can see) mentions a
> | "kpasswd_server = host:port" entry in the krb5.conf file.
> | If I add a pair of these entries my kapsswd command for both realms
> | justs hangs.
> | eg:
> | "kpasswd_server = server1.rich.com:740" { for RJHOSTS }
> | and "kpasswd_server = server1.rich.com:720" { for RJUSERS }
> |
> | ---------
> |
> | My /etc/services file contains:
> | grep -i ker /etc/services
> |
> | klogin 543/tcp # Kerberos
> | authenticated rlogin
> | kshell 544/tcp cmd # Kerberos
> | authenticated remote shell
> | RJUSERS-kerberos-adm 720/tcp # Kerberos V5
> | Administration
> | RJUSERS-kerberos-adm 720/udp # Kerberos V5
> | Administration
> | RJHOSTS-kerberos-adm 740/tcp # Kerberos V5
> | Administration
> | RJHOSTS-kerberos-adm 740/udp # Kerberos V5
> | Administration
> | kerberos 750/udp kdc # Kerberos key server
> | kerberos 750/tcp kdc # Kerberos key server
> | kerberos-sec 88/udp kdc # MIT V5 Kerberos key
> | server
> | kerberos-sec 88/tcp kdc # MIT V5 Kerberos key
> | server
> | krb524 4444/tcp # MIT Kerberos 5 to 4
> | ticket translator
> | krb5_prop 754/tcp # Kerberos V5 KDC
> | propogation
> | eklogin 2105/tcp # Kerberos encrypted
> | rlogin
> |
> | -----------------
> |
> |
> | As I say, I think this has been seen before.
> | Does anyone know where I can get a patch ?
> |
> | regards
> |
> | Richard Jamieson.
