more ldap concerns

Savitha R rsavitha at novell.com
Fri Jun 9 02:21:48 EDT 2006 


>>> On Thu, Jun 8, 2006 at  4:09 am, in message
<20060607223927.GK23943 at sun.com>,
Will Fiveash <William.Fiveash at sun.com> wrote: 
> On Mon, Jun 05, 2006 at 04:51:10PM - 0500, Will Fiveash wrote:
> 
> (more enctype issues...)
> 
> After running:
> 
> kdb5_ldap_util - D "cn=directory manager" - w my_password create - P
my_password 
> - subtree "dc=south,dc=sun,dc=com"
> 
> then:
> 
> $ ./kadmin.local - q 'getprinc krbtgt/ACME.COM'
> Authenticating as principal willf/admin at ACME.COM with password.
> Principal: krbtgt/ACME.COM at ACME.COM
> Expiration date: [never]
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Tue Jun 06 16:53:52 CDT 2006 (cn=directory
manager at ACME.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>             ???????????????????????????????????????????
> Attributes:
> Policy: [none]
> 
> This was using the defaults for enctypes (no enctype parameters were
> specified in the k*.conf or kdb5_ldap_util).  I'm bothered by the
fact
> that krbtgt only has a DES3 key.  The db2 krbtgt princ created using
> defaults had 2 keys (des3 and des- cbc- crc).  Even this seems weird
to
> me.  By default Solaris creates a krbtgt princ with keys for all
> supported enctypes on the KDC.  Why isn't this the case with the MIT
> code?
> 
> Note that my realm object in the directory contains:
> 
> dn: cn=ACME.COM,cn=krbcontainer,dc=south,dc=sun,dc=com
> cn: ACME.COM
> objectClass: top
> objectClass: krbrealmcontainer
> krbSubTree: dc=south,dc=sun,dc=com
> krbDefaultEncType: 16
> krbDefaultSaltType: 0
> krbSupportedSaltTypes: 0
> krbSupportedSaltTypes: 1
> krbSupportedSaltTypes: 2
> krbSupportedSaltTypes: 3
> krbSupportedSaltTypes: 4
> krbSupportedEncTypes: 1
> krbSupportedEncTypes: 2
> krbSupportedEncTypes: 3
> krbSupportedEncTypes: 16
> krbSupportedEncTypes: 17
> krbSupportedEncTypes: 18
> krbSupportedEncTypes: 23

This will be fixed and the behavior will be similar to that of MIT
code.
The enctypes and salt types from the directory realm object will not be
considered for now. 
This will be used in the future when there will be a plugin interface
for the profile  library.


Thanks
Savitha

More information about the krbdev mailing list