A problem with kadm5_setkey_principal() using an LDAP backend

Lonigro, Frank A franco at bu.edu
Mon Jun 19 12:02:47 EDT 2017


Greg,

Thanks for this quick response.  I will give your suggestion a try.

Thanks so much,
Frank

-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu] 
Sent: Monday, June 19, 2017 11:49 AM
To: Lonigro, Frank A <franco at bu.edu>; kerberos at mit.edu
Subject: Re: A problem with kadm5_setkey_principal() using an LDAP backend

On 06/19/2017 10:13 AM, Lonigro, Frank A wrote:
> We have an application that uses kadm5_setkey_principal() to set the key for a Kerberos account.  This application works fine on a KDC with a BDB backend, but fails to set the key on a KDC with an LDAP backend.
[...]
> Is this a known issue?

This was not a known issue, but I believe I can see the problem in the code.  In kadm5_randkey_principal_3(), there is a statement:

    kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;

which lets the KDB provider know what fields it should put into the database.  There is no corresponding statement in kadm5_setkey_principal_3().  The BDB KDB module doesn't care about the mask (it just serializes the whole principal entry no matter what), but the LDAP KDB module uses it to determine which attributes to change.

If you are prepared to rebuild the code, adding an identical kdb->mask assignment to kadm5_setkey_principal_3() just before the call to
kdb_put_entry() should fix your issue.  (In the master branch, the assignment would go in kadm5_setkey_principal_4().)

I will open a ticket for this bug.  Although I think the fix is trivial, testing it is not, so it may take me a bit to submit a PR.  As we only support releases for two years, we are only likely to backport the bugfix to 1.15 and 1.14 patch releases.



More information about the Kerberos mailing list