ksu problem with "Version: 1.12+dfsg-2ubuntu5.1"

Giuseppe Mazza g.mazza at imperial.ac.uk
Wed Feb 18 06:35:31 EST 2015


On 18/02/15 10:57, Giuseppe Mazza wrote:
> On 17/02/15 22:51, Benjamin Kaduk wrote:
>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>>
>>> On 17/02/15 17:36, Benjamin Kaduk wrote:
>>>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>>>
>>>
>>> client% head -20 /etc/krb5.conf
>>> [appdefaults]
>>> # [dwm] necessary for DOC.IC.AC.UK
>>>     allow_weak_crypto=true
>>>
>>> [libdefaults]
>>>     default_realm = DOC.IC.AC.UK
>>>
>>> # The following krb5.conf variables are only for MIT Kerberos.
>>>     krb4_config = /etc/krb.conf
>>>     krb4_realms = /etc/krb.realms
>>>     kdc_timesync = 1
>>>     ccache_type = 4
>>>     forwardable = true
>>>     proxiable = true
>>>
>>> # [dwm] necessary for DOC.IC.AC.UK
>>>     allow_weak_crypto=true
>>>
>>> # The following encryption type specification will be used by MIT
>>> Kerberos
>>> # if uncommented.  In general, the defaults in the MIT Kerberos code are
>>
>> Are any of the encryption type specifications in the following lines of
>> the file uncommented?
>>
>> I don't think we've heard any other reports of this sort of issue with
>> ksu, and I don't think that its code does anything special that would
>> fail
>> to respect allow_weak_crypto, so I am rather puzzled at the behavior you
>> are seeing.
>>
>> Also, you say you are upgrading to Ubuntu 14.04 with krb5
>> 1.12+dfsg-2ubuntu5.1, but what version were you upgrading from?  The krb5
>> 1.10+dfsg~beta1-2ubuntu0.6 in Ubuntu 12.04?
>>
>>
>> -Ben
>>
>
> Here is my /etc/krb5.conf
> (I have double checked that there is no line with
> the character '#' in the middle of a line):
>
> ---------------------------------------------------------------
> client% grep -v '#' /etc/krb5.conf
> [appdefaults]
>      allow_weak_crypto=true
>
> [libdefaults]
>      default_realm = DOC.IC.AC.UK
>
>      krb4_config = /etc/krb.conf
>      krb4_realms = /etc/krb.realms
>      kdc_timesync = 1
>      ccache_type = 4
>      forwardable = true
>      proxiable = true
>
>      allow_weak_crypto=true
>
>      v4_instance_resolve = false
>      v4_name_convert = {
>          host = {
>              rcmd = host
>              ftp = ftp
>          }
>          plain = {
>              something = something-else
>          }
>      }
>      fcc-mit-ticketflags = true
>
> [realms]
>      DOC.IC.AC.UK = {
>          default_domain = doc.ic.ac.uk
>          kdc = kerberos.doc.ic.ac.uk
>          kdc = kerberos1.doc.ic.ac.uk
>          kdc = kerberos2.doc.ic.ac.uk
>          admin_server = kerberos.doc.ic.ac.uk
>                  auth_to_local = RULE:[1:$1]
>                  auth_to_local = DEFAULT
>      }
>
> [domain_realm]
>      .doc.ic.ac.uk = DOC.IC.AC.UK
>      doc.ic.ac.uk = DOC.IC.AC.UK
>      .ic.ac.uk = IC.AC.UK
>      ic.ac.uk = IC.AC.UK
>
> [login]
>      krb4_convert = true
>      krb4_get_tickets = false
>
> [pam]
>      forwardable = true
>
> [logging]
>      kdc = FILE:/var/log/krb5kdc.log
>      admin_server = FILE:/var/log/kadmin.log
>
> ---------------------------------------------------------------
> My previous version of the package is:
>
> root at slave1:~# aptitude show krb5-admin-server | grep Version
> Version: 1.12+dfsg-2ubuntu5
> root at slave1:~# aptitude show krb5-kdc | grep Version
> Version: 1.12+dfsg-2ubuntu5
> root at slave1:~# aptitude show libkrb5-3 | grep Version
> Version: 1.12+dfsg-2ubuntu5
> root at slave1:~# aptitude show krb5-user | grep Version
> Version: 1.12+dfsg-2ubuntu5
>
> where slave1 is a kerberos server that I have not upgraded yet
> ---------
>
>
> I have downloaded this version from
> https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5
>
>
> root at slave:~# uname -a
> Linux slave.doc.ic.ac.uk 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3
> 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Cheers,
> Giuseppe

(I have shortned the word "collegue" sometimes for better formatting)

A collegue of mine lets me know that it could be a different issue.
Here is his root principal:
kadmin.local:  get_principal collegue/root
Principal: collegue/root at DOC.IC.AC.UK
Expiration date: [never]
Last password change: Thu Feb 24 11:40:22 GMT 2011
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Feb 18 11:26:15 GMT 2015 (colleg/admin at DOC.IC.AC.UK)
Last successful authentication: Wed Feb 18 11:26:22 GMT 2015
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
Key: vno 2, des-cbc-crc, Version 4
Key: vno 2, des-cbc-crc, AFS version 3
Key: vno 2, arcfour-hmac, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

(Please note the user has got a DES root principals)


kadmin.local:  get_principal host/client.doc.ic.ac.uk
Principal: host/client.doc.ic.ac.uk at DOC.IC.AC.UK
Expiration date: [never]
Last password change: Tue Feb 17 16:06:24 GMT 2015
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Feb 18 11:25:40 GMT 2015 (colleg/admin at DOC.IC.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: machine


If the user does not have "Attributes: REQUIRES_PRE_AUTH"
and the machine does
ksu fails with the error message that I have posted.

If the machine does not have "Attributes: REQUIRES_PRE_AUTH"
ksu works regardless the user's setting.

Cheers,
Giuseppe








More information about the Kerberos mailing list