ksu problem with "Version: 1.12+dfsg-2ubuntu5.1"

Giuseppe Mazza g.mazza at imperial.ac.uk
Thu Feb 19 05:38:06 EST 2015


On 18/02/15 17:08, Benjamin Kaduk wrote:
> On Wed, 18 Feb 2015, Giuseppe Mazza wrote:
>
>> A collegue of mine lets me know that it could be a different issue.
>> Here is his root principal:
>> kadmin.local:  get_principal collegue/root
>> Principal: collegue/root at DOC.IC.AC.UK
>> Expiration date: [never]
>> Last password change: Thu Feb 24 11:40:22 GMT 2011
>> Password expiration date: [none]
>> Maximum ticket life: 0 days 10:00:00
>> Maximum renewable life: 7 days 00:00:00
>> Last modified: Wed Feb 18 11:26:15 GMT 2015 (colleg/admin at DOC.IC.AC.UK)
>> Last successful authentication: Wed Feb 18 11:26:22 GMT 2015
>> Last failed authentication: [never]
>> Failed password attempts: 0
>> Number of keys: 5
>> Key: vno 2, des3-cbc-sha1, no salt
>> Key: vno 2, des-cbc-crc, no salt
>> Key: vno 2, des-cbc-crc, Version 4
>> Key: vno 2, des-cbc-crc, AFS version 3
>> Key: vno 2, arcfour-hmac, no salt
>> MKey: vno 1
>> Attributes: REQUIRES_PRE_AUTH
>> Policy: default
>>
>> (Please note the user has got a DES root principals)
>>
>>
>> kadmin.local:  get_principal host/client.doc.ic.ac.uk
>> Principal: host/client.doc.ic.ac.uk at DOC.IC.AC.UK
>> Expiration date: [never]
>> Last password change: Tue Feb 17 16:06:24 GMT 2015
>> Password expiration date: [none]
>> Maximum ticket life: 0 days 10:00:00
>> Maximum renewable life: 7 days 00:00:00
>> Last modified: Wed Feb 18 11:25:40 GMT 2015 (colleg/admin at DOC.IC.AC.UK)
>> Last successful authentication: [never]
>> Last failed authentication: [never]
>> Failed password attempts: 0
>> Number of keys: 1
>> Key: vno 2, aes256-cts-hmac-sha1-96, no salt
>> MKey: vno 1
>> Attributes: REQUIRES_PRE_AUTH
>> Policy: machine
>>
>>
>> If the user does not have "Attributes: REQUIRES_PRE_AUTH"
>> and the machine does
>> ksu fails with the error message that I have posted.
>>
>> If the machine does not have "Attributes: REQUIRES_PRE_AUTH"
>> ksu works regardless the user's setting.
>
> That would explain the behavior you are seeing, yes (and there is no
> connection to the version of the software).
>

Sorry for my confusion...

> For unfortunate historical reasons, the REQUIRES_PRE_AUTH flag has two
> distinct meanings when set on a principal; one meaning applies when the
> principal is acting as a client, and the other when it is acting as a
> service.  When the principal is acting as a client, this flag requires
> that the principal pre-authenticate itself to the KDC before a ticket is
> issued (e.g., via encrypted timestamp).  When the flag is set on a
> principal acting as a server, the KDC will not issue a service ticket for
> that service principal unless the client's initial authentication was
> preauthenticated.  So, having the flag set on a server but not the client
> will cause the client to fail to get a ticket.
>
> For this reason, unless the flag can be set on all principals in the realm
> all at once (such as by setting it in the default_principal_flags before
> realm creation), it is best to only set the flag on user principals, and
> not on server principals.
>
> -Ben
>

thank you for your explanation.

All the best,
Giuseppe




More information about the Kerberos mailing list