What is 'flavor'?

Mike Friedman mikef at ack.Berkeley.EDU
Wed Aug 10 16:05:49 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 9 Aug 2005 at 22:07 (-0400), Tom Yu wrote:

>>>>>> "mikef" == Mike Friedman <mikef at ack.berkeley.edu> writes:
>
> mikef> o Is this information, in particular the meaning of specific flavor
> mikef> values, documented?
>
> mikef> So far, I've seen the following values for 'flavor':  6 and
> mikef> 300001. The former corresponds to an interactive kadmin
> mikef> authentication;  the latter to a kadmin using a keytab.  But thus far
> mikef> I have no further information, so I'm hoping someone can enlighten me.
>
> 6 is RPCSEC_GSS, which is the IETF standards-track authentication
> flavor for using GSSAPI in RPC.  300001 would be the AUTH_GSSAPI
> flavor developed by OpenVision, which is not standards-track.  See
> RFCs 1831, 1832, 2203, etc. for details.
>
> I'm not quite sure why you're seeing 300001 when using a keytab.
> Exactly how are you invoking kadmin using a keytab?  And which release
> are you running on the kadmin client?  RPCSEC_GSS (flavor 6) should
> be used in preference to 300001 by modern MIT krb5.

Tom,

Actually I misspoke a bit.  What I have is my own code, based on code in 
kadmin, that does a password change.  (FWIW, although the client now has 
1.3.4 installed, this code was, I believe, compiled with an older release 
of MIT K5, possibly as far back as 2001).

Here's the admin authentication piece of the code:

    /* Initialize the kadm5 connection, using the supplied keytab */
    retval = kadm5_init_with_skey(
       admin_princstr,
       keytab_name,
       KADM5_ADMIN_SERVICE,
       &params,
       KADM5_STRUCT_VERSION,
       KADM5_API_VERSION_2,
       &handle);

    if (retval) {
       com_err(whoami, retval, "while initializing %s interface", whoami);
       if (handle)
          kadm5_destroy(handle);
       exit(retval);
       }

Followed a bit later by this:

    /* Now try the passphrase change */
    retval = kadm5_chpass_principal(handle, princ, passphrase);
    krb5_free_principal(context, princ);
    if (retval) {
       com_err(whoami, retval,
       "while changing passphrase for \"%s\".", canon);
       rcode = retval;
       }
    else
       printf("Password for \"%s\" changed.\n", canon);

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQvpeIa0bf1iNr4mCEQLMZwCgh4vOOnK9wfOG5lIN8tv1YMEZiKcAni3l
3OtOduTan5LiIDpSdx0PERG4
=em9m
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list