Problems parsing old krbPrincipalKey attributes from LDAP backend

Frank Steinberg steinberg at ibr.cs.tu-bs.de
Tue May 20 09:56:04 EDT 2014 

Hi,

I'm using MIT Kerberos with an LDAP backend on Ubuntu Linux systems for some years now. During an update from 1.10.x to 1.12.x I'm observing some trouble:

1. It seems like the LDAP backend now requires to have the krbRealmContainer objects under an object of class krbContainer. Formerly it was happily working under an "ou=kerberos" node. However, it is feasible to change my LDAP structure in this way, so that this not really a problem.

2. What really causes me headaches is that some krbPrincipalKeys can no longer be parsed. They trigger errors like "unable to decode stored principal key data (ASN.1 structure is missing a required field) while retrieving "{anonymized}@IBR.CS.TU-BS.DE". It seems like this happens only for keys that have not been changed for quite some time: I asked a user who had a key that caused this error to change his password using an older 1.10-based kadmind. Afterwards the new 1.12.x-based programs were able to parse it.

So far, I found out that this ASN1_MISSING_FIELD is triggerd in lib/krb5/asn.1/asn1_encode.c:omit_atype().

kadmin.local gives this getprinc output for working and non-working principals on 1.10 and 1.12:

WORKING on 1.10:
Number of keys: 8
Key: vno 92, aes256-cts-hmac-sha1-96, Version 5
Key: vno 92, arcfour-hmac, Version 5
Key: vno 92, des3-cbc-sha1, Version 5
Key: vno 92, des-cbc-crc, Version 5
Key: vno 92, des-cbc-md5, Version 4
Key: vno 92, des-cbc-md5, Version 5 - No Realm
Key: vno 92, des-cbc-md5, Version 5 - Realm Only
Key: vno 92, des-cbc-md5, AFS version 3
MKey: vno 1

NOT WORKING on 1.10:
Number of keys: 8
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
Key: vno 2, des-cbc-md5, Version 4
Key: vno 2, des-cbc-md5, Version 5 - No Realm
Key: vno 2, des-cbc-md5, Version 5 - Realm Only
Key: vno 2, des-cbc-md5, AFS version 3
MKey: vno 1

WORKING on 1.12:
Number of keys: 8
Key: vno 92, aes256-cts-hmac-sha1-96, no salt
Key: vno 92, arcfour-hmac, no salt
Key: vno 92, des3-cbc-sha1, no salt
Key: vno 92, des-cbc-crc, no salt
Key: vno 92, des-cbc-md5, no salt
Key: vno 92, des-cbc-md5, Version 5 - No Realm
Key: vno 92, des-cbc-md5, Version 5 - Realm Only
Key: vno 92, des-cbc-md5, AFS version 3
MKey: vno 1

NOT WORKING on 1.12:
get_principal: unable to decode stored principal key data (ASN.1 structure is missing a required field) while retrieving "{anonymized}@IBR.CS.TU-BS.DE".


Did this krbPrincipalKey type change? Is there a tool to fix old keys?

 -frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20140520/ee44e4c1/attachment.bin

More information about the Kerberos mailing list