Problem with libkadm5clnt.so after upgrade to 1.4.1

Utente amministrativo admin at betty.dei.unipd.it
Tue Aug 2 07:33:08 EDT 2005 

Hello 
we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1 
my scripts for users creation/change don't work anymore.
They are based on 'kadmin' utility or perl module Authen::Krb5::Admin 
for remote management on the kerberos and LDAP db.
As user/admin at REALM I am used to do only
'kinit user/admin at REALM' 
to grant me LDAP and KERBEROS admin access.
All scripts then use the KRB5CCNAME file.
Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
refuse to try to use existing krbtgt/REALM at REALM to get the mandatory 
kadmin/krbserver.domain at REALM service ticket.
If I do a 'kinit -s kadmin/admin user/admin' it works but
then I can't use that service ticket to access LDAP.
Replacing libkadm5clnt.so with previuos 1.4 version fixes it
and after a run of init_with_creds my cache file correctly contains:
08/02/05 12:56:20  08/03/05 12:56:20  krbtgt/REALM at REALM
08/02/05 12:56:28  08/03/05 12:56:20  kadmin/krbserver.domain at REALM
08/02/05 12:56:28  08/03/05 12:56:20  ldap/krbserver.domain at REALM

Sources' Changelog file helps me to concentrate on
krb5-1.4.1/src/lib/kadm5/clnt/client_init.c
After some deep investigation with DDD (you know, it's summertime
and sysadmin have a lot of sparetime ;)
seems that the section starting from line 434:
     code = kadm5_gic_iter(handle, init_type, ccache,
                           client, pass, svcname, realm,
                           full_svcname, full_svcname_len);
     if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
          || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
          /* Retry with old host-independent service princpal. */
          code = kadm5_gic_iter(handle, init_type, ccache,
                                client, pass,
                                KADM5_ADMIN_SERVICE, realm,
                                full_svcname, full_svcname_len);
     }

check only for existing kadmin/fqdn at REALM or (fallback) kadmin/admin at REALM   
and obviously return an error. The embarassing thing is that if I create
a cache with 1.4 libkadm5clnt.so it is gladly accepted by 1.4.1 libkadm5clnt.so  
I am not a kerberos guru so there could be something wrong
in my configuration or in my way of understanding Kerberos philosophy.

Any feedback will be appreciated.

    Regards 
        Valerio Pulese


--		admin at dei.unipd.it
--
-

More information about the Kerberos mailing list