A problem with kadm5_setkey_principal() using an LDAP backend

Lonigro, Frank A franco at bu.edu
Mon Jun 19 10:13:27 EDT 2017


We have an application that uses kadm5_setkey_principal() to set the key for a Kerberos account.  This application works fine on a KDC with a BDB backend, but fails to set the key on a KDC with an LDAP backend.  Both Kerberos KDC's have the "s" flag set in the ACL file.  The interesting thing is that if we have our application set a random key using kadm5_randkey_principal(), it works perfectly no matter the backend.  But obviously, randkey is not what we want.

In the LDAP messages log, the only attribute that is modified when doing the setkey is, MOD attr=krbExtraData

But when doing the randkey, the usual set of attributes are modified, MOD attr=krbLoginFailedCount krbprincipalkey krbpasswordexpiration krbLastPwdChange krbExtraData

Is this a known issue?

We are using krb5-1.10.3 currently on Linux.

Boston University
Senior Systems Engineer

More information about the Kerberos mailing list