Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock brocka at sterlingcgi.com
Tue Sep 4 19:06:54 EDT 2007


Also, I forgot to mention that I'm running Debian testing with the following
packages:

ii  krb5-admin-server           1.6.dfsg.1-6         MIT Kerberos master
server (kadmind)
ii  krb5-config                 1.17                 Configuration files for
Kerberos Version 5
ii  krb5-doc                    1.6.dfsg.1-6         Documentation for MIT
Kerberos
ii  krb5-kdc                    1.6.dfsg.1-6         MIT Kerberos key server
(KDC)
ii  krb5-user                   1.6.dfsg.1-6         Basic programs to
authenticate using MIT Ker
ii  libkadm55                   1.6.dfsg.1-6         MIT Kerberos
administration runtime librarie
ii  libkrb5-17-heimdal          0.7.2.dfsg.1-10      Libraries for Heimdal
Kerberos
ii  libkrb53                    1.6.dfsg.1-6         MIT Kerberos runtime
libraries

Any help will be greatly appreciated!

Tony


> -----Original Message-----
> From: Anthony Brock [mailto:brocka at sterlingcgi.com]
> Sent: Tuesday, September 04, 2007 4:03 PM
> To: kerberos at mit.edu
> Subject: Problems with kadmind, kpasswd and cross-realm authentication
>
>
> I have created several cross-realm trusts on a test server. At
> this point, nearly everything is working properly. However, users
> are unable to change their passwords unless their account is in
> the initial domain. Users see the following when attempting it
> from the initial domain:
>
> # kpasswd
> Password for brocka at SCGROUP.ORG:
> Enter new password:
> Enter it again:
> Password changed.
> #
>
> Unfortunately, following happens for additional domains:
>
> # kpasswd
> Password for brocka at STERLINGCGI.COM:
> Enter new password:
> Enter it again:
> Authentication error: Failed reading application request
> #
>
> An strace of the kadmind daemon during a failed request shows the
> following:
>
> Process 1123 attached - interrupt to quit
> select(8, [6 7], NULL, NULL, {10, 890000}) = 0 (Timeout)
> select(8, [6 7], NULL, NULL, {15, 0})   = 1 (in [7], left {12, 140000})
> recvfrom(7,
> "\2\37\0\1\1\272n\202\1\2660\202\1\262\240\3\2\1\5\241\3"...,
> 1500, 0, {sa_family=AF_INET, sin_port=htons(2051),
> sin_addr=inet_addr("10.0.1.7")}, [16]) = 543
> socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 10
> connect(10, {sa_family=AF_INET, sin_port=htons(2051),
> sin_addr=inet_addr("10.0.1.7")}, 16) = 0
> time(NULL)                              = 1188946658
> close(10)                               = 0
> sendto(7,
> "\0\207\0\1\0\0~\1770}\240\3\2\1\5\241\3\2\1\36\244\21\30"...,
> 135, 0, {sa_family=AF_INET, sin_port=htons(2051),
> sin_addr=inet_addr("10.0.1.7")}, 16) = 135
> select(8, [6 7], NULL, NULL, {15, 0} <unfinished ...>
> Process 1123 detached
>
> Any ideas? What further information would assist in identifying
> the issue? Has anyone else encountered this?
>
> There doesn't seem to be much helpful documentation on
> cross-realm authentication or how it should be setup. Thanks in advance!
>
> Tony




More information about the Kerberos mailing list