[28496] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Problems with kadmind, kpasswd and cross-realm authentication

daemon@ATHENA.MIT.EDU (Markus Moeller)
Tue Sep 25 17:15:16 2007

From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Tue, 25 Sep 2007 22:05:11 +0100
Message-ID: <13fiu0fhjt5nh58@corp.supernews.com>
X-Complaints-To: abuse@supernews.com
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6 
installed. Depending how I start kadmind (with -r REALM1 or -r REALM2) I can 
change the password for a REALM1 or a REALM2 user respectively. My man pages 
say:

-r realm  specifies  the default realm that kadmind will serve; if it is not 
specified, the default realm of
              the host is used.  kadmind will answer requests for  any 
realm  that  exists  in  the  local  KDC
              database and for which the appropriate principals are in its 
keytab.

If I don't provide the -r option the default realm of the host ( is this the 
kdc ?) is used, so it sounds kadmind can not answer for all realms despite 
the second sentence.

Why can't kadmind be use like krb5kdc with -r REALM1 and -r REALM2 ?

Markus


"Anthony Brock" <brocka@sterlingcgi.com> wrote in message 
news:mailman.119.1190734310.2905.kerberos@mit.edu...
> I'm running version 1.6 on a Debian lenny box. The actual Debian packages
> are:
>
> ii  krb5-admin-server               1.6.dfsg.1-7         MIT Kerberos 
> master
> server (kadmind)
> ii  krb5-kdc                        1.6.dfsg.1-7         MIT Kerberos key
> server (KDC)
>
> Tony
>
>
>> -----Original Message-----
>> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu]On
>> Behalf Of Markus Moeller
>> Sent: Monday, September 24, 2007 4:15 PM
>> To: kerberos@mit.edu
>> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>> authentication
>>
>>
>> That looks to me like a bug in the kdc code. Which release do you use ?
>>
>> Markus
>>
>> "Anthony Brock" <brocka@sterlingcgi.com> wrote in message
>> news:mailman.111.1190673340.2905.kerberos@mit.edu...
>> > Unfortunately I'm not necessarily familiar enough to know if I'm seeing
>> > the
>> > "correct" tickets. I am seeing 6 packets with the first 4 are directed
>> > to/from port 88 and the last 2 directed to/from 464:
>> >
>> > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>> > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 KRB Error:
>> KRB5KDC_ERR_PREAUTH_REQUIRED
>> > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>> > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REP
>> >
>> > Then I see:
>> >
>> > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
>> > kadmin/changepw, KPASSWD Reply
>> > PKT 6: KPASSWD Reply[Malformed Packet]
>> >
>> > It's interesting to note that I can see in the "text" field of
>> wireshark
>> > for
>> > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
>> > "changepw" and "Failed reading application request". However, 
>> > obviously,
>> > wireshark didn't seem to understand the contents of the packet.
>> Other than
>> > this anomaly, the REALM looks good to me.
>> >
>> > I'm also attaching a "text" export of the packet capture from 
>> > wireshark.
>> >
>> > Tony
>> >
>> >
>> >> -----Original Message-----
>> >> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu]On
>> >> Behalf Of Markus Moeller
>> >> Sent: Monday, September 24, 2007 1:39 PM
>> >> To: kerberos@mit.edu
>> >> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>> >> authentication
>> >>
>> >>
>> >> What do you see when you capture the traffic with wireshark on
>> >> port 88 and
>> >> 464 ?  Do you see the correct kadmin/changepw@REALM tickets ?
>> >>
>> >> Markus
>> >>
>> >> "Anthony Brock" <brocka@sterlingcgi.com> wrote in message
>> >> news:mailman.110.1190648781.2905.kerberos@mit.edu...
>> >> >> -----Original Message-----
>> >> >> Any ideas?
>> >> >>
>> >> >> The man page states that kadmind should be able to change
>> >> >> passwords for any
>> >> >> realms that have an associated kadmin/changepw@<REALM> and
>> >> >> kadmin/admin@<REALM> principal. Is this still true? Or has
>> >> >> support for this
>> >> >> functionality been dropped? If not, what debugging can be
>> performed to
>> >> >> identify the cause of the issue?
>> >> >>
>> >> >> Ideas?
>> >> >>
>> >> >> Tony
>> >> >
>> >> > Given that it's been 3 weeks and nobody has any suggestions
>> for further
>> >> > troubleshooting or identifying the issue, should this be
>> submitted as a
>> >> > bug
>> >> > in kadmind? If so, how do I submit it? Is there a documented process
>> >> > for
>> >> > this?
>> >> >
>> >> > Also, are there any suggested workarounds? I've seen references
>> >> from 2004
>> >> > to
>> >> > people running a separate kadmind daemon for each realm
>> using different
>> >> > port
>> >> > numbers. Is this safe against a single db? If not, how do
>> you migrate a
>> >> > realm out of the default db into a separate db files?
>> >> >
>> >> > Thanks!
>> >> >
>> >> > Tony
>> >> >
>> >>
>> >>
>> >> ________________________________________________
>> >> Kerberos mailing list           Kerberos@mit.edu
>> >> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>
>> >
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post