Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock brocka at sterlingcgi.com
Tue Sep 25 11:31:19 EDT 2007 

I'm running version 1.6 on a Debian lenny box. The actual Debian packages
are:

ii  krb5-admin-server               1.6.dfsg.1-7         MIT Kerberos master
server (kadmind)
ii  krb5-kdc                        1.6.dfsg.1-7         MIT Kerberos key
server (KDC)

Tony


> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
> Behalf Of Markus Moeller
> Sent: Monday, September 24, 2007 4:15 PM
> To: kerberos at mit.edu
> Subject: Re: Problems with kadmind, kpasswd and cross-realm
> authentication
>
>
> That looks to me like a bug in the kdc code. Which release do you use ?
>
> Markus
>
> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
> news:mailman.111.1190673340.2905.kerberos at mit.edu...
> > Unfortunately I'm not necessarily familiar enough to know if I'm seeing
> > the
> > "correct" tickets. I am seeing 6 packets with the first 4 are directed
> > to/from port 88 and the last 2 directed to/from 464:
> >
> > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
> > Name
> > (Principal): kadmin/changepw, KRB5 AS-REQ
> > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
> > Name
> > (Principal): kadmin/changepw, KRB5 KRB Error:
> KRB5KDC_ERR_PREAUTH_REQUIRED
> > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
> > Name
> > (Principal): kadmin/changepw, KRB5 AS-REQ
> > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
> > Name
> > (Principal): kadmin/changepw, KRB5 AS-REP
> >
> > Then I see:
> >
> > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
> > kadmin/changepw, KPASSWD Reply
> > PKT 6: KPASSWD Reply[Malformed Packet]
> >
> > It's interesting to note that I can see in the "text" field of
> wireshark
> > for
> > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
> > "changepw" and "Failed reading application request". However, obviously,
> > wireshark didn't seem to understand the contents of the packet.
> Other than
> > this anomaly, the REALM looks good to me.
> >
> > I'm also attaching a "text" export of the packet capture from wireshark.
> >
> > Tony
> >
> >
> >> -----Original Message-----
> >> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
> >> Behalf Of Markus Moeller
> >> Sent: Monday, September 24, 2007 1:39 PM
> >> To: kerberos at mit.edu
> >> Subject: Re: Problems with kadmind, kpasswd and cross-realm
> >> authentication
> >>
> >>
> >> What do you see when you capture the traffic with wireshark on
> >> port 88 and
> >> 464 ?  Do you see the correct kadmin/changepw at REALM tickets ?
> >>
> >> Markus
> >>
> >> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
> >> news:mailman.110.1190648781.2905.kerberos at mit.edu...
> >> >> -----Original Message-----
> >> >> Any ideas?
> >> >>
> >> >> The man page states that kadmind should be able to change
> >> >> passwords for any
> >> >> realms that have an associated kadmin/changepw@<REALM> and
> >> >> kadmin/admin@<REALM> principal. Is this still true? Or has
> >> >> support for this
> >> >> functionality been dropped? If not, what debugging can be
> performed to
> >> >> identify the cause of the issue?
> >> >>
> >> >> Ideas?
> >> >>
> >> >> Tony
> >> >
> >> > Given that it's been 3 weeks and nobody has any suggestions
> for further
> >> > troubleshooting or identifying the issue, should this be
> submitted as a
> >> > bug
> >> > in kadmind? If so, how do I submit it? Is there a documented process
> >> > for
> >> > this?
> >> >
> >> > Also, are there any suggested workarounds? I've seen references
> >> from 2004
> >> > to
> >> > people running a separate kadmind daemon for each realm
> using different
> >> > port
> >> > numbers. Is this safe against a single db? If not, how do
> you migrate a
> >> > realm out of the default db into a separate db files?
> >> >
> >> > Thanks!
> >> >
> >> > Tony
> >> >
> >>
> >>
> >> ________________________________________________
> >> Kerberos mailing list           Kerberos at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list