Problems with kadmind, kpasswd and cross-realm authentication

Markus Moeller huaraz at moeller.plus.com
Tue Sep 25 17:05:11 EDT 2007 

I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6 
installed. Depending how I start kadmind (with -r REALM1 or -r REALM2) I can 
change the password for a REALM1 or a REALM2 user respectively. My man pages 
say:

-r realm  specifies  the default realm that kadmind will serve; if it is not 
specified, the default realm of
              the host is used.  kadmind will answer requests for  any 
realm  that  exists  in  the  local  KDC
              database and for which the appropriate principals are in its 
keytab.

If I don't provide the -r option the default realm of the host ( is this the 
kdc ?) is used, so it sounds kadmind can not answer for all realms despite 
the second sentence.

Why can't kadmind be use like krb5kdc with -r REALM1 and -r REALM2 ?

Markus


"Anthony Brock" <brocka at sterlingcgi.com> wrote in message 
news:mailman.119.1190734310.2905.kerberos at mit.edu...
> I'm running version 1.6 on a Debian lenny box. The actual Debian packages
> are:
>
> ii  krb5-admin-server               1.6.dfsg.1-7         MIT Kerberos 
> master
> server (kadmind)
> ii  krb5-kdc                        1.6.dfsg.1-7         MIT Kerberos key
> server (KDC)
>
> Tony
>
>
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
>> Behalf Of Markus Moeller
>> Sent: Monday, September 24, 2007 4:15 PM
>> To: kerberos at mit.edu
>> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>> authentication
>>
>>
>> That looks to me like a bug in the kdc code. Which release do you use ?
>>
>> Markus
>>
>> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>> news:mailman.111.1190673340.2905.kerberos at mit.edu...
>> > Unfortunately I'm not necessarily familiar enough to know if I'm seeing
>> > the
>> > "correct" tickets. I am seeing 6 packets with the first 4 are directed
>> > to/from port 88 and the last 2 directed to/from 464:
>> >
>> > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>> > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 KRB Error:
>> KRB5KDC_ERR_PREAUTH_REQUIRED
>> > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>> > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REP
>> >
>> > Then I see:
>> >
>> > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
>> > kadmin/changepw, KPASSWD Reply
>> > PKT 6: KPASSWD Reply[Malformed Packet]
>> >
>> > It's interesting to note that I can see in the "text" field of
>> wireshark
>> > for
>> > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
>> > "changepw" and "Failed reading application request". However, 
>> > obviously,
>> > wireshark didn't seem to understand the contents of the packet.
>> Other than
>> > this anomaly, the REALM looks good to me.
>> >
>> > I'm also attaching a "text" export of the packet capture from 
>> > wireshark.
>> >
>> > Tony
>> >
>> >
>> >> -----Original Message-----
>> >> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
>> >> Behalf Of Markus Moeller
>> >> Sent: Monday, September 24, 2007 1:39 PM
>> >> To: kerberos at mit.edu
>> >> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>> >> authentication
>> >>
>> >>
>> >> What do you see when you capture the traffic with wireshark on
>> >> port 88 and
>> >> 464 ?  Do you see the correct kadmin/changepw at REALM tickets ?
>> >>
>> >> Markus
>> >>
>> >> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>> >> news:mailman.110.1190648781.2905.kerberos at mit.edu...
>> >> >> -----Original Message-----
>> >> >> Any ideas?
>> >> >>
>> >> >> The man page states that kadmind should be able to change
>> >> >> passwords for any
>> >> >> realms that have an associated kadmin/changepw@<REALM> and
>> >> >> kadmin/admin@<REALM> principal. Is this still true? Or has
>> >> >> support for this
>> >> >> functionality been dropped? If not, what debugging can be
>> performed to
>> >> >> identify the cause of the issue?
>> >> >>
>> >> >> Ideas?
>> >> >>
>> >> >> Tony
>> >> >
>> >> > Given that it's been 3 weeks and nobody has any suggestions
>> for further
>> >> > troubleshooting or identifying the issue, should this be
>> submitted as a
>> >> > bug
>> >> > in kadmind? If so, how do I submit it? Is there a documented process
>> >> > for
>> >> > this?
>> >> >
>> >> > Also, are there any suggested workarounds? I've seen references
>> >> from 2004
>> >> > to
>> >> > people running a separate kadmind daemon for each realm
>> using different
>> >> > port
>> >> > numbers. Is this safe against a single db? If not, how do
>> you migrate a
>> >> > realm out of the default db into a separate db files?
>> >> >
>> >> > Thanks!
>> >> >
>> >> > Tony
>> >> >
>> >>
>> >>
>> >> ________________________________________________
>> >> Kerberos mailing list           Kerberos at mit.edu
>> >> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>
>> >
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>

More information about the Kerberos mailing list