Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock brocka at sterlingcgi.com
Wed Sep 26 20:54:15 EDT 2007 

Markus,

I don't know.

That is why I asked earlier if it was safe to use multiple kadmind daemons 
against the same database. If it is safe, then I can launch multiple 
processes (one for each realm). However, it if isn't safe, I'm assuming that 
there is a way to separate the realm into different databases and launch 
each daemon against a different database. Assuming separating the realms 
into different databases would be safe, how do you do it? Also, I'll need to 
figure out how to organize and track the different kadmind port numbers for 
each realm (ensure I don't clobber anything when we add a new domain/realm).

In reality this is a hack to work-around the issue. I'm willing to do it 
provided the work-around isn't going to corrupt anything. However, the best 
solution would be a fix to the kadmind code (there are times I REALLY wish I 
was a programmer...).

So, does anyone know:

1. The likelihood of a solution being developed and rolled into the 
production code?
2. How to safely work-around the issue?

BTW, thanks for verifying the behavior! One of my biggest concerns was if I 
had missed a configuration step.

Tony

----- Original Message -----
From: "Markus Moeller" <huaraz at moeller.plus.com>
Newsgroups: comp.protocols.kerberos
To: <kerberos at mit.edu>
Sent: Tuesday, September 25, 2007 2:05 PM
Subject: Re: Problems with kadmind, kpasswd and cross-realm authentication

>I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6 
>installed. Depending how I start kadmind (with -r REALM1 or -r REALM2) I 
>can change the password for a REALM1 or a REALM2 user respectively. My man 
>pages say:
>
> -r realm  specifies  the default realm that kadmind will serve; if it is 
> not specified, the default realm of
>              the host is used.  kadmind will answer requests for  any 
> realm  that  exists  in  the  local  KDC
>              database and for which the appropriate principals are in its 
> keytab.
>
> If I don't provide the -r option the default realm of the host ( is this 
> the kdc ?) is used, so it sounds kadmind can not answer for all realms 
> despite the second sentence.
>
> Why can't kadmind be use like krb5kdc with -r REALM1 and -r REALM2 ?
>
> Markus
>
>
> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message 
> news:mailman.119.1190734310.2905.kerberos at mit.edu...
>> I'm running version 1.6 on a Debian lenny box. The actual Debian packages
>> are:
>>
>> ii  krb5-admin-server               1.6.dfsg.1-7         MIT Kerberos 
>> master
>> server (kadmind)
>> ii  krb5-kdc                        1.6.dfsg.1-7         MIT Kerberos key
>> server (KDC)
>>
>> Tony
>>
>>
>>> -----Original Message-----
>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
>>> Behalf Of Markus Moeller
>>> Sent: Monday, September 24, 2007 4:15 PM
>>> To: kerberos at mit.edu
>>> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>>> authentication
>>>
>>>
>>> That looks to me like a bug in the kdc code. Which release do you use ?
>>>
>>> Markus
>>>
>>> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>>> news:mailman.111.1190673340.2905.kerberos at mit.edu...
>>> > Unfortunately I'm not necessarily familiar enough to know if I'm 
>>> > seeing
>>> > the
>>> > "correct" tickets. I am seeing 6 packets with the first 4 are directed
>>> > to/from port 88 and the last 2 directed to/from 464:
>>> >
>>> > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>>> > Name
>>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>>> > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>>> > Name
>>> > (Principal): kadmin/changepw, KRB5 KRB Error:
>>> KRB5KDC_ERR_PREAUTH_REQUIRED
>>> > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>>> > Name
>>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>>> > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>>> > Name
>>> > (Principal): kadmin/changepw, KRB5 AS-REP
>>> >
>>> > Then I see:
>>> >
>>> > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
>>> > kadmin/changepw, KPASSWD Reply
>>> > PKT 6: KPASSWD Reply[Malformed Packet]
>>> >
>>> > It's interesting to note that I can see in the "text" field of
>>> wireshark
>>> > for
>>> > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
>>> > "changepw" and "Failed reading application request". However, 
>>> > obviously,
>>> > wireshark didn't seem to understand the contents of the packet.
>>> Other than
>>> > this anomaly, the REALM looks good to me.
>>> >
>>> > I'm also attaching a "text" export of the packet capture from 
>>> > wireshark.
>>> >
>>> > Tony
>>> >
>>> >
>>> >> -----Original Message-----
>>> >> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
>>> >> Behalf Of Markus Moeller
>>> >> Sent: Monday, September 24, 2007 1:39 PM
>>> >> To: kerberos at mit.edu
>>> >> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>>> >> authentication
>>> >>
>>> >>
>>> >> What do you see when you capture the traffic with wireshark on
>>> >> port 88 and
>>> >> 464 ?  Do you see the correct kadmin/changepw at REALM tickets ?
>>> >>
>>> >> Markus
>>> >>
>>> >> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>>> >> news:mailman.110.1190648781.2905.kerberos at mit.edu...
>>> >> >> -----Original Message-----
>>> >> >> Any ideas?
>>> >> >>
>>> >> >> The man page states that kadmind should be able to change
>>> >> >> passwords for any
>>> >> >> realms that have an associated kadmin/changepw@<REALM> and
>>> >> >> kadmin/admin@<REALM> principal. Is this still true? Or has
>>> >> >> support for this
>>> >> >> functionality been dropped? If not, what debugging can be
>>> performed to
>>> >> >> identify the cause of the issue?
>>> >> >>
>>> >> >> Ideas?
>>> >> >>
>>> >> >> Tony
>>> >> >
>>> >> > Given that it's been 3 weeks and nobody has any suggestions
>>> for further
>>> >> > troubleshooting or identifying the issue, should this be
>>> submitted as a
>>> >> > bug
>>> >> > in kadmind? If so, how do I submit it? Is there a documented 
>>> >> > process
>>> >> > for
>>> >> > this?
>>> >> >
>>> >> > Also, are there any suggested workarounds? I've seen references
>>> >> from 2004
>>> >> > to
>>> >> > people running a separate kadmind daemon for each realm
>>> using different
>>> >> > port
>>> >> > numbers. Is this safe against a single db? If not, how do
>>> you migrate a
>>> >> > realm out of the default db into a separate db files?
>>> >> >
>>> >> > Thanks!
>>> >> >
>>> >> > Tony
>>> >> >
>>> >>
>>> >>
>>> >> ________________________________________________
>>> >> Kerberos mailing list           Kerberos at mit.edu
>>> >> https://mailman.mit.edu/mailman/listinfo/kerberos
>>> >>
>>> >
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list