From aidan@panix.com Fri Dec 5 15:23:44 1997 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA09541 for ; Fri, 5 Dec 1997 15:23:43 -0500 Received: from mail2.panix.com by MIT.EDU with SMTP id AA21905; Fri, 5 Dec 97 15:23:34 EST Received: from juggler.nfs100.access.net (juggler.panix.com [198.7.0.31]) by mail2.panix.com (8.8.8/8.8.8/PanixM1.3) with ESMTP id PAA26786; Fri, 5 Dec 1997 15:23:29 -0500 (EST) Received: (from root@localhost) by juggler.nfs100.access.net (8.8.5/8.7.1/PanixN1.0) id PAA02368; Fri, 5 Dec 1997 15:23:29 -0500 (EST) Message-Id: <199712052023.PAA02368@juggler.nfs100.access.net> Date: Fri, 5 Dec 1997 15:23:29 -0500 (EST) From: aidan@panix.com Reply-To: aidan@panix.com To: krb5-bugs@MIT.EDU Cc: aidan@panix.com Subject: kadmind4 does not work with krb5 X-Send-Pr-Version: 3.99 >Number: 510 >Category: krb5-misc >Synopsis: The kadmind4 server will not accept connections, will not >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Fri Dec 05 15:24:01 EST 1997 >Last-Modified: >Originator: Aidan Cully >Organization: Public Access Networks >Release: krb5-1.0.2 >Environment: i386, NetBSD 1.2 System: NetBSD juggler.nfs100.access.net 1.2 NetBSD 1.2 (JUGGLER) #0: Mon Oct 27 20:41:16 EST 1997 marcotte@juggler.nfs100.access.net:/usr/hlocal/panix-src/newest/src/sys/arch/i386/compile/JUGGLER i386 >Description: when kadmind4 starts up, it binds to the address pointed to by gethostname(). This should be INADDR_ANY (0.0.0.0). This barfed in our setup where the local host name is different from the hostnames in all our krb.conf files. Once this problem was fixed, kadmind4 attempted to communicate with kadmind or krb5kdc (didn't spend enough time looking through the code to figure this out) with a tgt for ovsec_adm/(admin|changepw), but attempting to decrypt a ticket for kadmin/(admin|changepw) (or something like that.. something was barfing on the server pointed to by the ticket being different from the server pointed to by the tgt). kadmind4 had to be modified to obtain a tgt for kadmin/(admin|changepw). When this got fixed, it started responding appropriately to requests, but it still sends back requests that the client end thinks have been modified in transit. >How-To-Repeat: Run kadmind4. >Fix: Edit src/kadmin/v4server/kadm_ser_wrap.c, comment out the memcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr, sizeof(server_parm.admin_addr.sin_addr.s_addr)); line. Edit src/kadmin/v4server/admin_server.c, change the ovsec_kadm_init_with_skey line to look like retval = ovsec_kadm_init_with_skey(service_name, params.admin_keytab, KADM5_ADMIN_SERVICE, krbrlm, KADM5_STRUCT_VERSION, KADM5_API_VERSION_1, &ovsec_handle); It would also be nice to have some docs for kadmind4. Is this program supported at all? >Audit-Trail: >Unformatted: talk to krb5 properly, and does not respond to the client in a way the client can understand.