[krbdev.mit.edu #3064] Solaris client and 1.4 kadmind

[Shawn Emery via RT]

For rpcsec-gss kadm5, Solaris has always used the changepw/<master_fqhn>
principal.  Starting with MIT 1.4's kadmind, it now supports a
rpcsec-gss kadmind.  However, it expects and it's clients to only use
the kadmin/changepw service principal.  The problem is that MIT is
restricting the authorization to kadmin/changepw and this subsequently
causes a Solaris kpasswd interop issue:

client% kpasswd
kpasswd: Changing password for user1.
Old password:
kpasswd: Cannot establish a session with the Kerberos administrative
server for realm EXAMPLE.COM. Communication failure with server.

The server yields:
May 18 21:22:22 kdc1 krb5kdc[15301](info): AS_REQ (5 etypes {17 16 23 3
1}) 1.2.3.4: ISSUE: authtime 1116476542, etypes {rep=16 tkt=16 ses=16},
user1 at EXAMPLE.COM for changepw/kdc1.example.com at EXAMPLE.COM
May 18 21:22:24 kdc1 kadmind[15407](Error): bad service principal
changepw/kdc1.example.com at EXAMPLE.COM
May 18 21:22:24 kdc1 kadmind[15407](Error): Authentication attempt
failed: 1.2.3.4, RPC authentication flavor 6

The solution is to have MIT open up the check to include the
changepw/<master_fqhn> service principal for the rpcsec-gss protocol
(see below).  It would also be helpful if MIT's kdb5_util create command
create the changepw/<master_fqhn> along with the default principal set.

Shawn.
--
Sun Microsystems, Inc. Software Security Group (Kerberos)

Diffs for 1.4.1 source
----------------------
src/kadmin/server/kadm_rpc_svc.c:
@@ -283,11 +283,12 @@

      c1 = krb5_princ_component(kctx, princ, 0);
      c2 = krb5_princ_component(kctx, princ, 1);
      realm = krb5_princ_realm(kctx, princ);
      if (strncmp(handle->params.realm, realm->data, realm->length) == 0
-	 && strncmp("kadmin", c1->data, c1->length) == 0) {
+	 && (strncmp("kadmin", c1->data, c1->length) == 0
+	 || strncmp("changepw", c1->data, c1->length) == 0)) {

 	  if (strncmp("history", c2->data, c2->length) == 0)
 	       goto fail_princ;
 	  else
 	       success = 1;