Problems with kadmind, kpasswd and cross-realm authentication
Markus Moeller
huaraz at moeller.plus.com
Thu Sep 27 16:41:52 EDT 2007
Anthony,
the workaround I have is to use different ports for two kadmind processes
krb5.conf
[realms]
SUSE.HOME = {
kdc = opensuse.suse.home
admin_server = opensuse.suse.home
}
TEST.HOME = {
kdc = opensuse.suse.home
kpasswd_server = opensuse.suse.home:10464
admin_server = opensuse.suse.home:10749
}
kdc.conf ( I use two database files)
[realms]
SUSE.HOME = {
database_name = /var/lib/kerberos/krb5kdc/principal
admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/lib/kerberos/krb5kdc/.k5.SUSE.HOME
kdc_ports = 750,88
supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
des-cbc-crc:normal des-cbc-md5:normal
kdc_supported_enctypes = rc4-hmac:normal
des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
TEST.HOME = {
database_name = /var/lib/kerberos/krb5kdc/principal.test
admin_keytab =
FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab.test
acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl.test
key_stash_file = /var/lib/kerberos/krb5kdc/.k5.TEST.HOME
kdc_ports = 750,88
kpasswd_port = 10464
kadmind_port = 10749
supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
des-cbc-crc:normal des-cbc-md5:normal
kdc_supported_enctypes = rc4-hmac:normal
des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
and start kadmind -r SUSE.HOME and kadmind -r TEST.HOME and krb5kdc -r
SUSE.HOME -r TEST.HOME
Regards
Markus
"Anthony Brock" <brocka at sterlingcgi.com> wrote in message
news:59B08D4CB8394E98868B82D0F792CA1E at sterling...
> Markus,
>
> I don't know.
>
> That is why I asked earlier if it was safe to use multiple kadmind daemons
> against the same database. If it is safe, then I can launch multiple
> processes (one for each realm). However, it if isn't safe, I'm assuming
> that
> there is a way to separate the realm into different databases and launch
> each daemon against a different database. Assuming separating the realms
> into different databases would be safe, how do you do it? Also, I'll need
> to
> figure out how to organize and track the different kadmind port numbers
> for
> each realm (ensure I don't clobber anything when we add a new
> domain/realm).
>
> In reality this is a hack to work-around the issue. I'm willing to do it
> provided the work-around isn't going to corrupt anything. However, the
> best
> solution would be a fix to the kadmind code (there are times I REALLY wish
> I
> was a programmer...).
>
> So, does anyone know:
>
> 1. The likelihood of a solution being developed and rolled into the
> production code?
> 2. How to safely work-around the issue?
>
> BTW, thanks for verifying the behavior! One of my biggest concerns was if
> I
> had missed a configuration step.
>
> Tony
>
> ----- Original Message -----
> From: "Markus Moeller" <huaraz at moeller.plus.com>
> Newsgroups: comp.protocols.kerberos
> To: <kerberos at mit.edu>
> Sent: Tuesday, September 25, 2007 2:05 PM
> Subject: Re: Problems with kadmind, kpasswd and cross-realm authentication
>
>>I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6
>>installed. Depending how I start kadmind (with -r REALM1 or -r REALM2) I
>>can change the password for a REALM1 or a REALM2 user respectively. My man
>>pages say:
>>
>> -r realm specifies the default realm that kadmind will serve; if it is
>> not specified, the default realm of
>> the host is used. kadmind will answer requests for any
>> realm that exists in the local KDC
>> database and for which the appropriate principals are in its
>> keytab.
>>
>> If I don't provide the -r option the default realm of the host ( is this
>> the kdc ?) is used, so it sounds kadmind can not answer for all realms
>> despite the second sentence.
>>
>> Why can't kadmind be use like krb5kdc with -r REALM1 and -r REALM2 ?
>>
>> Markus
>>
>>
>> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>> news:mailman.119.1190734310.2905.kerberos at mit.edu...
>>> I'm running version 1.6 on a Debian lenny box. The actual Debian
>>> packages
>>> are:
>>>
>>> ii krb5-admin-server 1.6.dfsg.1-7 MIT Kerberos
>>> master
>>> server (kadmind)
>>> ii krb5-kdc 1.6.dfsg.1-7 MIT Kerberos
>>> key
>>> server (KDC)
>>>
>>> Tony
>>>
>>>
>>>> -----Original Message-----
>>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
>>>> Behalf Of Markus Moeller
>>>> Sent: Monday, September 24, 2007 4:15 PM
>>>> To: kerberos at mit.edu
>>>> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>>>> authentication
>>>>
>>>>
>>>> That looks to me like a bug in the kdc code. Which release do you use ?
>>>>
>>>> Markus
>>>>
>>>> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>>>> news:mailman.111.1190673340.2905.kerberos at mit.edu...
>>>> > Unfortunately I'm not necessarily familiar enough to know if I'm
>>>> > seeing
>>>> > the
>>>> > "correct" tickets. I am seeing 6 packets with the first 4 are
>>>> > directed
>>>> > to/from port 88 and the last 2 directed to/from 464:
>>>> >
>>>> > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM,
>>>> > Server
>>>> > Name
>>>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>>>> > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM,
>>>> > Server
>>>> > Name
>>>> > (Principal): kadmin/changepw, KRB5 KRB Error:
>>>> KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM,
>>>> > Server
>>>> > Name
>>>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>>>> > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM,
>>>> > Server
>>>> > Name
>>>> > (Principal): kadmin/changepw, KRB5 AS-REP
>>>> >
>>>> > Then I see:
>>>> >
>>>> > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
>>>> > kadmin/changepw, KPASSWD Reply
>>>> > PKT 6: KPASSWD Reply[Malformed Packet]
>>>> >
>>>> > It's interesting to note that I can see in the "text" field of
>>>> wireshark
>>>> > for
>>>> > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
>>>> > "changepw" and "Failed reading application request". However,
>>>> > obviously,
>>>> > wireshark didn't seem to understand the contents of the packet.
>>>> Other than
>>>> > this anomaly, the REALM looks good to me.
>>>> >
>>>> > I'm also attaching a "text" export of the packet capture from
>>>> > wireshark.
>>>> >
>>>> > Tony
>>>> >
>>>> >
>>>> >> -----Original Message-----
>>>> >> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
>>>> >> Behalf Of Markus Moeller
>>>> >> Sent: Monday, September 24, 2007 1:39 PM
>>>> >> To: kerberos at mit.edu
>>>> >> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>>>> >> authentication
>>>> >>
>>>> >>
>>>> >> What do you see when you capture the traffic with wireshark on
>>>> >> port 88 and
>>>> >> 464 ? Do you see the correct kadmin/changepw at REALM tickets ?
>>>> >>
>>>> >> Markus
>>>> >>
>>>> >> "Anthony Brock" <brocka at sterlingcgi.com> wrote in message
>>>> >> news:mailman.110.1190648781.2905.kerberos at mit.edu...
>>>> >> >> -----Original Message-----
>>>> >> >> Any ideas?
>>>> >> >>
>>>> >> >> The man page states that kadmind should be able to change
>>>> >> >> passwords for any
>>>> >> >> realms that have an associated kadmin/changepw@<REALM> and
>>>> >> >> kadmin/admin@<REALM> principal. Is this still true? Or has
>>>> >> >> support for this
>>>> >> >> functionality been dropped? If not, what debugging can be
>>>> performed to
>>>> >> >> identify the cause of the issue?
>>>> >> >>
>>>> >> >> Ideas?
>>>> >> >>
>>>> >> >> Tony
>>>> >> >
>>>> >> > Given that it's been 3 weeks and nobody has any suggestions
>>>> for further
>>>> >> > troubleshooting or identifying the issue, should this be
>>>> submitted as a
>>>> >> > bug
>>>> >> > in kadmind? If so, how do I submit it? Is there a documented
>>>> >> > process
>>>> >> > for
>>>> >> > this?
>>>> >> >
>>>> >> > Also, are there any suggested workarounds? I've seen references
>>>> >> from 2004
>>>> >> > to
>>>> >> > people running a separate kadmind daemon for each realm
>>>> using different
>>>> >> > port
>>>> >> > numbers. Is this safe against a single db? If not, how do
>>>> you migrate a
>>>> >> > realm out of the default db into a separate db files?
>>>> >> >
>>>> >> > Thanks!
>>>> >> >
>>>> >> > Tony
>>>> >> >
>>>> >>
>>>> >>
>>>> >> ________________________________________________
>>>> >> Kerberos mailing list Kerberos at mit.edu
>>>> >> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>> >>
>>>> >
>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list