krb5-kdc: Cannot change passwords if password history is used

Tue Mar 6 11:45:15 EST 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

> When you set up a new test realm, what krb5 release were you using
> on the KDC?

1.8.3

> What krb5.conf and kdc.conf enctype/keytype parameters in both the
> test realm and the production realm?

root at test15[~]# more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = SYSLOG:INFO:LOCAL1
 admin_server = SYSLOG:INFO:LOCAL7

[libdefaults]
 ticket_lifetime = 36000
 renew_lifetime = 36000
 default_realm = UNI-PADERBORN.DE
 dns_lookup_realm = false
 dns_lookup_kdc = false
 afs_cells = uni-paderborn.de
 forwardable = true

[realms]
 UNI-PADERBORN.DE = {
  kdc = kerberos1.uni-paderborn.de:88
  kdc = kerberos2.uni-paderborn.de:88
  kdc = kerberos3.uni-paderborn.de:88
  master_kdc = kerberos.uni-paderborn.de:88
  admin_server = kerberos.uni-paderborn.de:749
  default_domain = uni-paderborn.de
 }

 CS.UNI-PADERBORN.DE = {
  kdc = sphinx.cs.uni-paderborn.de
  kdc = orthos.cs.uni-paderborn.de
  admin_server = sphinx.cs.uni-paderborn.de
  master_kdc = sphinx.cs.uni-paderborn.de
 }

 MATH.UNI-PADERBORN.DE = {
  kdc = kerberos1.math.uni-paderborn.de:88
  kdc = kerberos2.math.uni-paderborn.de:88
  admin_server = kerberos1.math.uni-paderborn.de:749
 }

[domain_realm]
 .uni-paderborn.de = UNI-PADERBORN.DE
 uni-paderborn.de = UNI-PADERBORN.DE
 .cs.uni-paderborn.de = CS.UNI-PADERBORN.DE
 cs.uni-paderborn.de = CS.UNI-PADERBORN.DE
 .math.uni-paderborn.de = MATH.UNI-PADERBORN.DE
 math.uni-paderborn.de = MATH.UNI-PADERBORN.DE

[appdefaults]
 pam = {
   max_timeout = 30
   timeout_shift = 2
   initial_timeout = 1
 }

root at test15[~]# more /etc/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88

[realms]
 UNI-PADERBORN.DE = {
  database_name = /var/lib/krb5kdc/principal
  admin_keytab = /etc/krb5kdc/kadm5.keytab
  acl_file = /etc/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  key_stash_file = /etc/krb5kdc/stash
  kadmind_port = 749
  max_life = 10h 0m 0s
  max_renewable_life = 30d 0h 0m 0s
  master_key_type = des-cbc-crc
  supported_enctypes = aes256-cts-hmac-sha1-96:normal
des3-cbc-sha1:normal arcfour-hmac-md5:norma
l des-cbc-crc:normal
 }

[logging]
  kdc = SYSLOG:INFO:LOCAL1
  admin_server = SYSLOG:INFO:LOCAL7

> The 1.8 code that decrypts the key history for a client principal 
> unconditionally chooses the first key in the list, so ordering is 
> important.  Does getprinc kadmin/history on the original 1.6
> database show a different ordering of keys?

Thanks to VMware I just quickly switched back to the Lenny snapshot:

Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt

So exactly the same ordering.

> What sorts of tools did you use to do the upgrade?

tar and kdb5_util.

So at first I just copied the binary database which seemed to work.
After we got into the password trouble we also tried to dump the
database with the 1.6 kdb5_util and import it again with the new one.
No change in behaviour.

> I think we can make changes to the code to resolve this issue, but
> we need to gether more information.  It's not clear whether
> removing the triple-DES key will resolve the issue, because any
> principals who have changed their passwords and had their old keys
> encrypted using the triple-DES history key will then have
> problems.

Yuck.

> Thanks for reporting this problem.  It is rather perplexing, and
> we would appreciate any additional information you can provide.

I will happily provide you with everything you need, if that does not
imply to send over our complete database... ;-)

Thanks,

Christopher

- -- 
======================================================
    Dipl.-Ing. Christopher Odenbach
    Zentrum fuer Informations- und Medientechnologien
    Universitaet Paderborn
    Raum N5.122
    odenbach at uni-paderborn.de
    Tel.: +49 5251 60 5315
======================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPVj8ahxiCJKeLY0IRAtrlAJ0biQLbCZwddAu8RPgNXsjVurDlogCgko4N
T2zZ+2JTGOpGUbdSfRq8jMQ=
=euKg
-----END PGP SIGNATURE-----