Change password without default_realm fails

Stef Walter stefw at gnome.org
Wed Apr 25 04:27:33 EDT 2012 

When there is no default_realm in /etc/krb5.conf (or no config file at
all), then changing the kerberos password fails.

This is because the "kadmin/changepw" in_tkt_service string is passed to
krb5_parse_name(), and krb5_parse_name() fails without an @REALM part in
the name string, unless a default_realm is configured.

In this case the @REALM part of in_tkt_service is not unused and not
needed. This is explicitly documented in krb5.h.

Attached is a simple work around patch. If this isn't acceptable, it
seems like we have a couple ways to fix this:

 1. Make krb5_parse_name_flags accept a new
    KRB5_PRINCIPAL_PARSE_IGNORE_REALM option which would accept
    principal name strings without a @REALM part.

 2. When parsing the in_tkt_service add the realm for the current
    user to the string before passing it to krb5_parse_name(). This
    is a bit redundant because we then proceed to throw out the realm
    in the krb5_principal

Cheers,

Stef



KRB5_TRACE LOGS:

JHBUILD [stef at stef-desktop krb5]$ KRB5_TRACE=/dev/stderr kpasswd
Fry at AD.THEWALTER.LAN
[18151] 1335341729.607728: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[18151] 1335341729.609725: FAST armor ccache: FILE:/tmp/krb5cc_1000
[18151] 1335341729.610965: Retrieving Fry at AD.THEWALTER.LAN ->
krb5_ccache_conf_data/fast_avail/krbtgt\/AD.THEWALTER.LAN\@AD.THEWALTER.LAN at X-CACHECONF:
from FILE:/tmp/krb5cc_1000 with result: -1765328243/Matching credential
not found
[18151] 1335341729.611074: Setting initial creds service to kadmin/changepw
[18151] 1335341729.611117: Retrying AS request with master KDC
[18151] 1335341729.611129: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[18151] 1335341729.611176: FAST armor ccache: FILE:/tmp/krb5cc_1000
[18151] 1335341729.611232: Retrieving Fry at AD.THEWALTER.LAN ->
krb5_ccache_conf_data/fast_avail/krbtgt\/AD.THEWALTER.LAN\@AD.THEWALTER.LAN at X-CACHECONF:
from FILE:/tmp/krb5cc_1000 with result: -1765328243/Matching credential
not found
[18151] 1335341729.611254: Setting initial creds service to kadmin/changepw
kpasswd: Configuration file does not specify default realm getting
initial ticket
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Work-around-for-changing-password-without-default_re.patch
Type: text/x-patch
Size: 1774 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120425/4bebdcde/attachment.bin

More information about the krbdev mailing list