Problem with libkadm5clnt.so after upgrade to 1.4.1
Utente amministrativo
admin at bella.dei.unipd.it
Tue Aug 9 19:53:53 EDT 2005
Hi
On Mon, Aug 08, 2005 at 03:09:37PM -0400, Tom Yu wrote:
> >>>>> "admin" == Utente amministrativo <admin at betty.dei.unipd.it> writes:
>
> admin> we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1
> admin> my scripts for users creation/change don't work anymore.
> admin> They are based on 'kadmin' utility or perl module Authen::Krb5::Admin
> admin> for remote management on the kerberos and LDAP db.
> admin> As user/admin at REALM I am used to do only
> admin> 'kinit user/admin at REALM'
> admin> to grant me LDAP and KERBEROS admin access.
> admin> All scripts then use the KRB5CCNAME file.
> admin> Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
> admin> refuse to try to use existing krbtgt/REALM at REALM to get the mandatory
> admin> kadmin/krbserver.domain at REALM service ticket.
>
> Could you please quote the exact error you get?
"Authenticating as principal user/admin at REALM with existing credentials.
kadmin: Matching credential not found while initializing kadmin interface"
> admin> If I do a 'kinit -s kadmin/admin user/admin' it works but
> admin> then I can't use that service ticket to access LDAP.
>
> I believe that using "kinit -s kadmin/admin user/admin" is the only
> way that's documented to work.
It seems to me that when I connect with LDAP through GSSAPI
I don't need a ticket for a particular service but only a user/admin
principal.
When I am authenticated as user/admin in a REALM it should be enough.
Policies and ACLs complete the security scheme.
Correct me if I am wrong but I believe that this is the way
ticket-granting tickets work.
However a future workaround would be to store differentservices tickets
in two separate files:
one for LDAP and the other for KRB5 managing.
> admin> Replacing libkadm5clnt.so with previuos 1.4 version fixes it
> admin> and after a run of init_with_creds my cache file correctly contains:
> admin> 08/02/05 12:56:20 08/03/05 12:56:20 krbtgt/REALM at REALM
> admin> 08/02/05 12:56:28 08/03/05 12:56:20 kadmin/krbserver.domain at REALM
> admin> 08/02/05 12:56:28 08/03/05 12:56:20 ldap/krbserver.domain at REALM
>
> Your ability to get a kadmin/krbserver.domain at REALM ticket using a TGT
> indicates that your kadmin/krbserver.domain principal doesn't have the
> DISALLOW_TGT_BASED flag set, which should typically be the case for
> kadmin-related principals.
>
> ---Tom
'getprinc kadmin/admin' says:
[...]
Attributes: DISALLOW_TGT_BASED
Policy: [none]
When things started not working I firstly try unsetting
that flag (after reading krb5 API docs) but it
didn't fix the problem so I set it again to the default value.
Thanks in advance
Valerio Pulese
--
--
-- admin at dei.unipd.it
--
-
More information about the Kerberos
mailing list