Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock brocka at sterlingcgi.com
Mon Sep 24 18:27:49 EDT 2007


Unfortunately I'm not necessarily familiar enough to know if I'm seeing the
"correct" tickets. I am seeing 6 packets with the first 4 are directed
to/from port 88 and the last 2 directed to/from 464:

PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server Name
(Principal): kadmin/changepw, KRB5 AS-REQ
PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server Name
(Principal): kadmin/changepw, KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server Name
(Principal): kadmin/changepw, KRB5 AS-REQ
PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server Name
(Principal): kadmin/changepw, KRB5 AS-REP

Then I see:

PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
kadmin/changepw, KPASSWD Reply
PKT 6: KPASSWD Reply[Malformed Packet]

It's interesting to note that I can see in the "text" field of wireshark for
the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
"changepw" and "Failed reading application request". However, obviously,
wireshark didn't seem to understand the contents of the packet. Other than
this anomaly, the REALM looks good to me.

I'm also attaching a "text" export of the packet capture from wireshark.

Tony


> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
> Behalf Of Markus Moeller
> Sent: Monday, September 24, 2007 1:39 PM
> To: kerberos at mit.edu
> Subject: Re: Problems with kadmind, kpasswd and cross-realm
> authentication
>
>
> What do you see when you capture the traffic with wireshark on
> port 88 and
> 464 ?  Do you see the correct kadmin/changepw at REALM tickets ?
>
> Markus
>
> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
> news:mailman.110.1190648781.2905.kerberos at mit.edu...
> >> -----Original Message-----
> >> Any ideas?
> >>
> >> The man page states that kadmind should be able to change
> >> passwords for any
> >> realms that have an associated kadmin/changepw@<REALM> and
> >> kadmin/admin@<REALM> principal. Is this still true? Or has
> >> support for this
> >> functionality been dropped? If not, what debugging can be performed to
> >> identify the cause of the issue?
> >>
> >> Ideas?
> >>
> >> Tony
> >
> > Given that it's been 3 weeks and nobody has any suggestions for further
> > troubleshooting or identifying the issue, should this be submitted as a
> > bug
> > in kadmind? If so, how do I submit it? Is there a documented process for
> > this?
> >
> > Also, are there any suggested workarounds? I've seen references
> from 2004
> > to
> > people running a separate kadmind daemon for each realm using different
> > port
> > numbers. Is this safe against a single db? If not, how do you migrate a
> > realm out of the default db into a separate db files?
> >
> > Thanks!
> >
> > Tony
> >
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: brocka_STERLINGCGI_COM.txt
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20070924/d6dff1e0/attachment.txt


More information about the Kerberos mailing list