[krbdev.mit.edu #2520] Problem with kadmin in 1.3.1

""Machin@MIT.EDU ""Machin at MIT.EDU
Mon Mar 29 23:38:02 EST 2004 

The default key encryption types for kadmin/admin  in the KDC database are
des-cbc-crc and des3-hmac-sha1.

If the krb5.conf specifies a default_tgs_enctypes but does not include
des3-hmac-sha1, kadmin will fail with the message:

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

The problem appears to be that kadmin when it makes a request for the
kadmin/admin service ticket it asks for a ticket with the encryption type
from the list:
	static krb5_enctype enctypes[] = {
    		ENCTYPE_DES3_CBC_SHA1,
    		ENCTYPE_ARCFOUR_HMAC,
    		ENCTYPE_DES_CBC_MD5,
    		ENCTYPE_DES_CBC_CRC,
    		0,
	};
(See  kadm5_init_with_password() => _kadm5_init_any in
lib/kadm5/clnt/client_init.c)


However when new_connection() is called to set up a gssapi rpc connection to
the kadmind, the gss_init_sec_context() requests a ticket based upon the
intersection of the static list of encryption types:

 static const krb5_enctype wanted_enctypes[] = {
     ENCTYPE_DES3_CBC_SHA1,
     ENCTYPE_ARCFOUR_HMAC,
     ENCTYPE_DES_CBC_CRC,
     ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
   };

and what the krb5.conf file has defined as the default tgs encryption type.
See get_requested_enctypes() in lib/gssapi/krb5/init_sec_context.c



The problem is that the kadmin/admin service ticket will be DES3_CBC_SHA1,
but the gss_init_sec_context will only look for whats set by
default_tgs_enctypes.  If  3des-cbc-sha1 is not set, kadmin will fail.

The solution is to have  _kadm5_init_any()  do what gss_init_sec_context
does in that, use the encryption types that are in both the desired list and
what is defined by default_tgs_enctypes.

I have modified  lib/kadm5/clnt/client_init.c to include a modified
get_requested_enctypes() obtained from init_sec_context.c which returns an
encryption list which is the intersection between whats in a passed list and
default_tgs_enctypes.   

Now you get a service ticket with an encrytion type that
gss_init_sec_context will also ask for.


Glenn

More information about the krb5-bugs mailing list