ksu problem with "Version: 1.12+dfsg-2ubuntu5.1"
Giuseppe Mazza
g.mazza at imperial.ac.uk
Wed Feb 18 06:35:31 EST 2015
On 18/02/15 10:57, Giuseppe Mazza wrote:
> On 17/02/15 22:51, Benjamin Kaduk wrote:
>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>>
>>> On 17/02/15 17:36, Benjamin Kaduk wrote:
>>>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>>>
>>>
>>> client% head -20 /etc/krb5.conf
>>> [appdefaults]
>>> # [dwm] necessary for DOC.IC.AC.UK
>>> allow_weak_crypto=true
>>>
>>> [libdefaults]
>>> default_realm = DOC.IC.AC.UK
>>>
>>> # The following krb5.conf variables are only for MIT Kerberos.
>>> krb4_config = /etc/krb.conf
>>> krb4_realms = /etc/krb.realms
>>> kdc_timesync = 1
>>> ccache_type = 4
>>> forwardable = true
>>> proxiable = true
>>>
>>> # [dwm] necessary for DOC.IC.AC.UK
>>> allow_weak_crypto=true
>>>
>>> # The following encryption type specification will be used by MIT
>>> Kerberos
>>> # if uncommented. In general, the defaults in the MIT Kerberos code are
>>
>> Are any of the encryption type specifications in the following lines of
>> the file uncommented?
>>
>> I don't think we've heard any other reports of this sort of issue with
>> ksu, and I don't think that its code does anything special that would
>> fail
>> to respect allow_weak_crypto, so I am rather puzzled at the behavior you
>> are seeing.
>>
>> Also, you say you are upgrading to Ubuntu 14.04 with krb5
>> 1.12+dfsg-2ubuntu5.1, but what version were you upgrading from? The krb5
>> 1.10+dfsg~beta1-2ubuntu0.6 in Ubuntu 12.04?
>>
>>
>> -Ben
>>
>
> Here is my /etc/krb5.conf
> (I have double checked that there is no line with
> the character '#' in the middle of a line):
>
> ---------------------------------------------------------------
> client% grep -v '#' /etc/krb5.conf
> [appdefaults]
> allow_weak_crypto=true
>
> [libdefaults]
> default_realm = DOC.IC.AC.UK
>
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> allow_weak_crypto=true
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> DOC.IC.AC.UK = {
> default_domain = doc.ic.ac.uk
> kdc = kerberos.doc.ic.ac.uk
> kdc = kerberos1.doc.ic.ac.uk
> kdc = kerberos2.doc.ic.ac.uk
> admin_server = kerberos.doc.ic.ac.uk
> auth_to_local = RULE:[1:$1]
> auth_to_local = DEFAULT
> }
>
> [domain_realm]
> .doc.ic.ac.uk = DOC.IC.AC.UK
> doc.ic.ac.uk = DOC.IC.AC.UK
> .ic.ac.uk = IC.AC.UK
> ic.ac.uk = IC.AC.UK
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> [pam]
> forwardable = true
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
>
> ---------------------------------------------------------------
> My previous version of the package is:
>
> root at slave1:~# aptitude show krb5-admin-server | grep Version
> Version: 1.12+dfsg-2ubuntu5
> root at slave1:~# aptitude show krb5-kdc | grep Version
> Version: 1.12+dfsg-2ubuntu5
> root at slave1:~# aptitude show libkrb5-3 | grep Version
> Version: 1.12+dfsg-2ubuntu5
> root at slave1:~# aptitude show krb5-user | grep Version
> Version: 1.12+dfsg-2ubuntu5
>
> where slave1 is a kerberos server that I have not upgraded yet
> ---------
>
>
> I have downloaded this version from
> https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5
>
>
> root at slave:~# uname -a
> Linux slave.doc.ic.ac.uk 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3
> 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Cheers,
> Giuseppe
(I have shortned the word "collegue" sometimes for better formatting)
A collegue of mine lets me know that it could be a different issue.
Here is his root principal:
kadmin.local: get_principal collegue/root
Principal: collegue/root at DOC.IC.AC.UK
Expiration date: [never]
Last password change: Thu Feb 24 11:40:22 GMT 2011
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Feb 18 11:26:15 GMT 2015 (colleg/admin at DOC.IC.AC.UK)
Last successful authentication: Wed Feb 18 11:26:22 GMT 2015
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
Key: vno 2, des-cbc-crc, Version 4
Key: vno 2, des-cbc-crc, AFS version 3
Key: vno 2, arcfour-hmac, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
(Please note the user has got a DES root principals)
kadmin.local: get_principal host/client.doc.ic.ac.uk
Principal: host/client.doc.ic.ac.uk at DOC.IC.AC.UK
Expiration date: [never]
Last password change: Tue Feb 17 16:06:24 GMT 2015
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Feb 18 11:25:40 GMT 2015 (colleg/admin at DOC.IC.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: machine
If the user does not have "Attributes: REQUIRES_PRE_AUTH"
and the machine does
ksu fails with the error message that I have posted.
If the machine does not have "Attributes: REQUIRES_PRE_AUTH"
ksu works regardless the user's setting.
Cheers,
Giuseppe
More information about the Kerberos
mailing list