Problems with kadmind, kpasswd and cross-realm authentication

Markus Moeller huaraz at moeller.plus.com
Mon Sep 24 19:15:06 EDT 2007


That looks to me like a bug in the kdc code. Which release do you use ?

Markus

"Anthony Brock" <brocka at sterlingcgi.com> wrote in message 
news:mailman.111.1190673340.2905.kerberos at mit.edu...
> Unfortunately I'm not necessarily familiar enough to know if I'm seeing 
> the
> "correct" tickets. I am seeing 6 packets with the first 4 are directed
> to/from port 88 and the last 2 directed to/from 464:
>
> PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server 
> Name
> (Principal): kadmin/changepw, KRB5 AS-REQ
> PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server 
> Name
> (Principal): kadmin/changepw, KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server 
> Name
> (Principal): kadmin/changepw, KRB5 AS-REQ
> PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server 
> Name
> (Principal): kadmin/changepw, KRB5 AS-REP
>
> Then I see:
>
> PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
> kadmin/changepw, KPASSWD Reply
> PKT 6: KPASSWD Reply[Malformed Packet]
>
> It's interesting to note that I can see in the "text" field of wireshark 
> for
> the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
> "changepw" and "Failed reading application request". However, obviously,
> wireshark didn't seem to understand the contents of the packet. Other than
> this anomaly, the REALM looks good to me.
>
> I'm also attaching a "text" export of the packet capture from wireshark.
>
> Tony
>
>
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
>> Behalf Of Markus Moeller
>> Sent: Monday, September 24, 2007 1:39 PM
>> To: kerberos at mit.edu
>> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>> authentication
>>
>>
>> What do you see when you capture the traffic with wireshark on
>> port 88 and
>> 464 ?  Do you see the correct kadmin/changepw at REALM tickets ?
>>
>> Markus
>>
>> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>> news:mailman.110.1190648781.2905.kerberos at mit.edu...
>> >> -----Original Message-----
>> >> Any ideas?
>> >>
>> >> The man page states that kadmind should be able to change
>> >> passwords for any
>> >> realms that have an associated kadmin/changepw@<REALM> and
>> >> kadmin/admin@<REALM> principal. Is this still true? Or has
>> >> support for this
>> >> functionality been dropped? If not, what debugging can be performed to
>> >> identify the cause of the issue?
>> >>
>> >> Ideas?
>> >>
>> >> Tony
>> >
>> > Given that it's been 3 weeks and nobody has any suggestions for further
>> > troubleshooting or identifying the issue, should this be submitted as a
>> > bug
>> > in kadmind? If so, how do I submit it? Is there a documented process 
>> > for
>> > this?
>> >
>> > Also, are there any suggested workarounds? I've seen references
>> from 2004
>> > to
>> > people running a separate kadmind daemon for each realm using different
>> > port
>> > numbers. Is this safe against a single db? If not, how do you migrate a
>> > realm out of the default db into a separate db files?
>> >
>> > Thanks!
>> >
>> > Tony
>> >
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 





More information about the Kerberos mailing list