Problems with kadmind, kpasswd and cross-realm authentication
Anthony Brock
brocka at sterlingcgi.com
Tue Sep 4 19:06:54 EDT 2007
Also, I forgot to mention that I'm running Debian testing with the following
packages:
ii krb5-admin-server 1.6.dfsg.1-6 MIT Kerberos master
server (kadmind)
ii krb5-config 1.17 Configuration files for
Kerberos Version 5
ii krb5-doc 1.6.dfsg.1-6 Documentation for MIT
Kerberos
ii krb5-kdc 1.6.dfsg.1-6 MIT Kerberos key server
(KDC)
ii krb5-user 1.6.dfsg.1-6 Basic programs to
authenticate using MIT Ker
ii libkadm55 1.6.dfsg.1-6 MIT Kerberos
administration runtime librarie
ii libkrb5-17-heimdal 0.7.2.dfsg.1-10 Libraries for Heimdal
Kerberos
ii libkrb53 1.6.dfsg.1-6 MIT Kerberos runtime
libraries
Any help will be greatly appreciated!
Tony
> -----Original Message-----
> From: Anthony Brock [mailto:brocka at sterlingcgi.com]
> Sent: Tuesday, September 04, 2007 4:03 PM
> To: kerberos at mit.edu
> Subject: Problems with kadmind, kpasswd and cross-realm authentication
>
>
> I have created several cross-realm trusts on a test server. At
> this point, nearly everything is working properly. However, users
> are unable to change their passwords unless their account is in
> the initial domain. Users see the following when attempting it
> from the initial domain:
>
> # kpasswd
> Password for brocka at SCGROUP.ORG:
> Enter new password:
> Enter it again:
> Password changed.
> #
>
> Unfortunately, following happens for additional domains:
>
> # kpasswd
> Password for brocka at STERLINGCGI.COM:
> Enter new password:
> Enter it again:
> Authentication error: Failed reading application request
> #
>
> An strace of the kadmind daemon during a failed request shows the
> following:
>
> Process 1123 attached - interrupt to quit
> select(8, [6 7], NULL, NULL, {10, 890000}) = 0 (Timeout)
> select(8, [6 7], NULL, NULL, {15, 0}) = 1 (in [7], left {12, 140000})
> recvfrom(7,
> "\2\37\0\1\1\272n\202\1\2660\202\1\262\240\3\2\1\5\241\3"...,
> 1500, 0, {sa_family=AF_INET, sin_port=htons(2051),
> sin_addr=inet_addr("10.0.1.7")}, [16]) = 543
> socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 10
> connect(10, {sa_family=AF_INET, sin_port=htons(2051),
> sin_addr=inet_addr("10.0.1.7")}, 16) = 0
> time(NULL) = 1188946658
> close(10) = 0
> sendto(7,
> "\0\207\0\1\0\0~\1770}\240\3\2\1\5\241\3\2\1\36\244\21\30"...,
> 135, 0, {sa_family=AF_INET, sin_port=htons(2051),
> sin_addr=inet_addr("10.0.1.7")}, 16) = 135
> select(8, [6 7], NULL, NULL, {15, 0} <unfinished ...>
> Process 1123 detached
>
> Any ideas? What further information would assist in identifying
> the issue? Has anyone else encountered this?
>
> There doesn't seem to be much helpful documentation on
> cross-realm authentication or how it should be setup. Thanks in advance!
>
> Tony
More information about the Kerberos
mailing list