RT/krbdev.mit.edu: Ticket #5954 ksu fails without domain

RT/krbdev.mit.edu: Ticket #5954 ksu fails without domain_realm mapping for local host

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
5954

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component	krb5-clients
Version_reported	1.6.3
Version_Fixed	1.7
Target_Version
Tags

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

Referred to by:

Dates

Created:	Tue Apr 29 00:43:41 2008
Starts:	Not set
Started:	Tue Jan 6 18:45:14 2009
Last Contact:	Tue Jan 6 18:45:27 2009
Due:	Not set
Updated:	Fri Jan 30 23:08:19 2009 by tlyu

People

Owner
hartmans
Requestors
Russ Allbery <rra@stanford.edu>
Cc

AdminCc

More about Russ Allbery

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

4114: no mechanism for timing out DNS lookups (new)
5126: krb5_verify_init_creds behaves badly with a ticket cache (new)
5583: support include in the profile library (new)
5955: krb5kdc and kadmind could drop privileges after binding (new)
5957: fakeka requires master key be DES (new)
5958: kadmin enctype naming for DES is deceptive (new)
5959: Missing fakeka documentation (new)
6343: klist should mark expired tickets (new)
6344: kadmind support for binding to specific local IPs (new)
6345: no kdb5_util stash equivalent with LDAP database (new)
6346: domain_realm docs need update for referrals (new)
6347: kadmin -keepold documented as not supported for LDAP but appears to work (new)

History

Display mode: [Brief headers] [Full headers]

Tue Apr 29 00:43:42 2008	guest - Ticket created
Subject: ksu fails without domain_realm mapping for local host Here is a trace from a ksu built with debugging support: wanderer:~> ./ksu -D GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # 0 GET_best_princ_for_target result-best principal rra/root@stanford.edu source cache = FILE:/tmp/krb5cc_1000 target cache = FILE:/tmp/krb5cc_0.1 krb5_check_exp: the krb5_clockskew is 300 krb5_check_exp: currenttime - endtime -82497 krb5_check_exp: the krb5_clockskew is 300 krb5_check_exp: currenttime - endtime -82497 krb5_check_exp: the krb5_clockskew is 300 krb5_check_exp: currenttime - endtime -82497 krb5_auth_check: Client principal name: rra/root@stanford.edu krb5_auth_check: Server principal name: host/wanderer.stanford.edu@ ksu: Matching credential not found While Retrieving credentials local tgt principal name: krbtgt/stanford.edu@stanford.edu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for rra/root@stanford.edu: : krb5_auth_check: got ticket for end server out_creds->server: host/wanderer.stanford.edu@ krb5_verify_tkt_def: verifying target server server: host/wanderer.stanford.edu@ tkt->server: host/wanderer.stanford.edu@stanford.edu ksu: Wrong principal in request while verifying ticket for server Authentication failed. The problem appears to stem from the fact that ksu rolls its own ticket verification and doesn't use krb5_verify_init_creds. Is there some reason why it doesn't do this, or does it just predate that API? If it just predates the API, I might be able to take a shot at producing a patch.		Download (untitled) 1.6k
Tue Apr 29 13:25:10 2008	hartmans - Correspondence added
From: Sam Hartman <hartmans@mit.edu> To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5954] ksu fails without domain_realm mapping for local host Date: Tue, 29 Apr 2008 13:25:09 -0400 RT-Send-Cc: It definitely predates the API.		Download (untitled) 32b
Tue Jan 6 18:45:14 2009	hartmans - Given to hartmans
Tue Jan 6 18:45:14 2009	hartmans - Status changed from new to open
Tue Jan 6 18:45:14 2009	hartmans - Correspondence added
From: hartmans@mit.edu Subject: SVN Commit Ksu should call krb5_verify_init_creds instead of using its own function. This was prompted by a desire for ksu to work without a domain_realm mapping for the local server, but the duplication of code is bad anyway. http://src.mit.edu/fisheye/changelog/krb5/?cs=21714 Commit By: hartmans Revision: 21714 Changed Files: U trunk/src/clients/ksu/krb_auth_su.c		Download (untitled) 361b
Tue Jan 6 18:45:20 2009	hartmans - Correspondence added
From: hartmans@mit.edu Subject: SVN Commit Remove ksu's own implementation of krb5_verify_init_creds now that it is not used. http://src.mit.edu/fisheye/changelog/krb5/?cs=21715 Commit By: hartmans Revision: 21715 Changed Files: U trunk/src/clients/ksu/krb_auth_su.c		Download (untitled) 228b
Tue Jan 6 18:45:26 2009	hartmans - Status changed from open to review
Tue Jan 6 18:45:26 2009	hartmans - Correspondence added
From: hartmans@mit.edu Subject: SVN Commit Add support for referral null realms and use the default realm as krb5_rd_req_extended does http://src.mit.edu/fisheye/changelog/krb5/?cs=21716 Commit By: hartmans Revision: 21716 Changed Files: U trunk/src/lib/krb5/krb/vfy_increds.c		Download (untitled) 238b
Fri Jan 23 17:30:21 2009	tlyu - Status changed from review to resolved
Fri Jan 30 23:08:19 2009	tlyu - Version_Fixed 1.7 added