| From: | "Machin, Glenn D" <GMachin@sandia.gov> |
| To: | "'krb5-bugs@mit.edu'" <krb5-bugs@mit.edu> |
| Date: | Mon, 29 Mar 2004 21:12:34 -0700 |
| Subject: | Problem with kadmin in 1.3.1 |
The default key encryption types for kadmin/admin in the KDC database are
des-cbc-crc and des3-hmac-sha1.
If the krb5.conf specifies a default_tgs_enctypes but does not include
des3-hmac-sha1, kadmin will fail with the message:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
The problem appears to be that kadmin when it makes a request for the
kadmin/admin service ticket it asks for a ticket with the encryption type
from the list:
static krb5_enctype enctypes[] = {
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
0,
};
(See kadm5_init_with_password() => _kadm5_init_any in
lib/kadm5/clnt/client_init.c)
However when new_connection() is called to set up a gssapi rpc connection to
the kadmind, the gss_init_sec_context() requests a ticket based upon the
intersection of the static list of encryption types:
static const krb5_enctype wanted_enctypes[] = {
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
};
and what the krb5.conf file has defined as the default tgs encryption type.
See get_requested_enctypes() in lib/gssapi/krb5/init_sec_context.c
The problem is that the kadmin/admin service ticket will be DES3_CBC_SHA1,
but the gss_init_sec_context will only look for whats set by
default_tgs_enctypes. If 3des-cbc-sha1 is not set, kadmin will fail.
The solution is to have _kadm5_init_any() do what gss_init_sec_context
does in that, use the encryption types that are in both the desired list and
what is defined by default_tgs_enctypes.
I have modified lib/kadm5/clnt/client_init.c to include a modified
get_requested_enctypes() obtained from init_sec_context.c which returns an
encryption list which is the intersection between whats in a passed list and
default_tgs_enctypes.
Now you get a service ticket with an encrytion type that
gss_init_sec_context will also ask for.
Glenn
des-cbc-crc and des3-hmac-sha1.
If the krb5.conf specifies a default_tgs_enctypes but does not include
des3-hmac-sha1, kadmin will fail with the message:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
The problem appears to be that kadmin when it makes a request for the
kadmin/admin service ticket it asks for a ticket with the encryption type
from the list:
static krb5_enctype enctypes[] = {
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
0,
};
(See kadm5_init_with_password() => _kadm5_init_any in
lib/kadm5/clnt/client_init.c)
However when new_connection() is called to set up a gssapi rpc connection to
the kadmind, the gss_init_sec_context() requests a ticket based upon the
intersection of the static list of encryption types:
static const krb5_enctype wanted_enctypes[] = {
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
};
and what the krb5.conf file has defined as the default tgs encryption type.
See get_requested_enctypes() in lib/gssapi/krb5/init_sec_context.c
The problem is that the kadmin/admin service ticket will be DES3_CBC_SHA1,
but the gss_init_sec_context will only look for whats set by
default_tgs_enctypes. If 3des-cbc-sha1 is not set, kadmin will fail.
The solution is to have _kadm5_init_any() do what gss_init_sec_context
does in that, use the encryption types that are in both the desired list and
what is defined by default_tgs_enctypes.
I have modified lib/kadm5/clnt/client_init.c to include a modified
get_requested_enctypes() obtained from init_sec_context.c which returns an
encryption list which is the intersection between whats in a passed list and
default_tgs_enctypes.
Now you get a service ticket with an encrytion type that
gss_init_sec_context will also ask for.
Glenn