Skip Menu |
 

Subject: client kadm5_init incompatible with pre-1.4
kadm5_init in the client library does not correctly perform fallback
when the kadmin/fqdn@REALM principal does not exist in the realm. It
should attempt kadmin/admin@REALM if the former fails, before returning
an error of KADM5_SECURE_PRINC_MISSING.

Workaround for kadmin client is to use the '-O' flag.
From: tlyu@mit.edu
Subject: CVS Commit
Implement principal name and auth flavor fallback for kadm5 client
library. Adjust test suites to compensate.


To generate a diff of this commit:



cvs diff -r1.103 -r1.104 krb5/doc/ChangeLog
cvs diff -r1.38 -r1.39 krb5/doc/kadm5/api-unit-test.tex
cvs diff -r1.39 -r1.40 krb5/src/kadmin/testing/util/ChangeLog
cvs diff -r1.22 -r1.23 krb5/src/kadmin/testing/util/tcl_kadm5.c
cvs diff -r1.54 -r1.55 krb5/src/lib/kadm5/admin.h
cvs diff -r1.57 -r1.58 krb5/src/lib/kadm5/clnt/ChangeLog
cvs diff -r1.28 -r1.29 krb5/src/lib/kadm5/clnt/client_init.c
cvs diff -r1.61 -r1.62 krb5/src/lib/kadm5/unit-test/ChangeLog
cvs diff -r1.73 -r1.74
krb5/src/tests/dejagnu/krb-standalone/ChangeLog
cvs diff -r1.23 -r1.24
krb5/src/tests/dejagnu/krb-standalone/kadmin.exp
From: tlyu@mit.edu
Subject: CVS Commit
missed one file on previous commit


To generate a diff of this commit:



cvs diff -r1.18 -r1.19
krb5/src/lib/kadm5/unit-test/api.2/init-v2.exp
From: tlyu@mit.edu
Subject: CVS Commit
* kadmin.c (kadmin_startup): New flag "-N" to prevent fallback to
AUTH_GSSAPI.

* kadmin.M: Describe "-O" and "-N" flags.


To generate a diff of this commit:



cvs diff -r1.89 -r1.90 krb5/src/kadmin/cli/ChangeLog
cvs diff -r1.9 -r1.10 krb5/src/kadmin/cli/kadmin.M
cvs diff -r1.64 -r1.65 krb5/src/kadmin/cli/kadmin.c
RT-Send-CC: jdvf@hotmail.com
[tlyu - Fri Feb 11 18:09:29 2005]:

Show quoted text
> Implement principal name and auth flavor fallback for kadm5 client
> library. Adjust test suites to compensate.
>
>
> To generate a diff of this commit:
>
>
>
> cvs diff -r1.103 -r1.104 krb5/doc/ChangeLog
> cvs diff -r1.38 -r1.39 krb5/doc/kadm5/api-unit-test.tex
> cvs diff -r1.39 -r1.40 krb5/src/kadmin/testing/util/ChangeLog
> cvs diff -r1.22 -r1.23 krb5/src/kadmin/testing/util/tcl_kadm5.c
> cvs diff -r1.54 -r1.55 krb5/src/lib/kadm5/admin.h
> cvs diff -r1.57 -r1.58 krb5/src/lib/kadm5/clnt/ChangeLog
> cvs diff -r1.28 -r1.29 krb5/src/lib/kadm5/clnt/client_init.c
> cvs diff -r1.61 -r1.62 krb5/src/lib/kadm5/unit-test/ChangeLog
> cvs diff -r1.73 -r1.74
> krb5/src/tests/dejagnu/krb-standalone/ChangeLog
> cvs diff -r1.23 -r1.24
> krb5/src/tests/dejagnu/krb-standalone/kadmin.exp
RT-Send-CC: jdvf@hotmail.com
[tlyu - Fri Feb 11 18:09:29 2005]:

Show quoted text
> Implement principal name and auth flavor fallback for kadm5 client
> library. Adjust test suites to compensate.
>
>
> To generate a diff of this commit:
>
>
>
> cvs diff -r1.103 -r1.104 krb5/doc/ChangeLog
> cvs diff -r1.38 -r1.39 krb5/doc/kadm5/api-unit-test.tex
> cvs diff -r1.39 -r1.40 krb5/src/kadmin/testing/util/ChangeLog
> cvs diff -r1.22 -r1.23 krb5/src/kadmin/testing/util/tcl_kadm5.c
> cvs diff -r1.54 -r1.55 krb5/src/lib/kadm5/admin.h
> cvs diff -r1.57 -r1.58 krb5/src/lib/kadm5/clnt/ChangeLog
> cvs diff -r1.28 -r1.29 krb5/src/lib/kadm5/clnt/client_init.c
> cvs diff -r1.61 -r1.62 krb5/src/lib/kadm5/unit-test/ChangeLog
> cvs diff -r1.73 -r1.74
> krb5/src/tests/dejagnu/krb-standalone/ChangeLog
> cvs diff -r1.23 -r1.24
> krb5/src/tests/dejagnu/krb-standalone/kadmin.exp
RT-Send-CC: jdvf@hotmail.com

As I was saying (sorry about the previous "submit")...

It seems like this fix breaks kadmin auth. with keytab. For example:

# kadmin -p host/binky.foonon.com -k -t /etc/krb5.keytab
Authenticating as principal host/binky.foonon.com with
keytab /etc/krb5.keytab.
kadmin: Cannot find KDC for requested realm while initializing kadmin
interface

jd
RT-Send-CC: jdvf@hotmail.com
[guest - Wed Mar 16 14:15:31 2005]:

Show quoted text
>
> As I was saying (sorry about the previous "submit")...
>
> It seems like this fix breaks kadmin auth. with keytab. For example:
>
> # kadmin -p host/binky.foonon.com -k -t /etc/krb5.keytab
> Authenticating as principal host/binky.foonon.com with
> keytab /etc/krb5.keytab.
> kadmin: Cannot find KDC for requested realm while initializing kadmin
> interface
>
> jd

Also, this seems to not happen when the kadmin server is running on a
pre-1.4 KDC

jd
Download (untitled) / with headers
text/plain 1.2KiB
[guest - Wed Mar 16 23:13:44 2005]:

Show quoted text
> [guest - Wed Mar 16 14:15:31 2005]:
>
> >
> > As I was saying (sorry about the previous "submit")...
> >
> > It seems like this fix breaks kadmin auth. with keytab. For example:
> >
> > # kadmin -p host/binky.foonon.com -k -t /etc/krb5.keytab
> > Authenticating as principal host/binky.foonon.com with
> > keytab /etc/krb5.keytab.
> > kadmin: Cannot find KDC for requested realm while initializing
kadmin
Show quoted text
> > interface
> >
> > jd
>
> Also, this seems to not happen when the kadmin server is running on a
> pre-1.4 KDC
>
> jd

Fixed. Here the patch:

Index: 1.4.0.3/lib/kadm5/clnt/client_init.c
--- 1.4.0.3/lib/kadm5/clnt/client_init.c Thu, 10 Mar 2005 09:57:33 -
0500 jd (MIT
-krb5-src/g/e/2_client_ini 1.2 644)
+++ 1.4.0.3(w)/lib/kadm5/clnt/client_init.c Mon, 21 Mar 2005 11:41:17 -
0500 jd (
MIT-krb5-src/g/e/2_client_ini 1.2 644)
@@ -435,6 +435,7 @@
client, pass, svcname, realm,
full_svcname, full_svcname_len);
if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
+ || code == KRB5_REALM_UNKNOWN
|| code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
/* Retry with old host-independent service princpal. */
code = kadm5_gic_iter(handle, init_type, ccache,



jd
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2913] client kadm5_init incompatible with pre-1.4
From: Tom Yu <tlyu@MIT.EDU>
Date: Mon, 21 Mar 2005 15:54:04 -0500
RT-Send-Cc:
Show quoted text
>>>>> "jd" == Public Submitter via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text
jd> [guest - Wed Mar 16 14:15:31 2005]:
Show quoted text
>>
>> As I was saying (sorry about the previous "submit")...
>>
>> It seems like this fix breaks kadmin auth. with keytab. For example:
>>
>> # kadmin -p host/binky.foonon.com -k -t /etc/krb5.keytab
>> Authenticating as principal host/binky.foonon.com with
>> keytab /etc/krb5.keytab.
>> kadmin: Cannot find KDC for requested realm while initializing kadmin
>> interface
>>
>> jd

Show quoted text
jd> Also, this seems to not happen when the kadmin server is running on a
jd> pre-1.4 KDC

This seems like it may be a bug exposed due to a misconfigured
domain_realm mapping. Are the pre-1.4 KDC and the 1.4 KDC running on
the same host? Does the kadmin client without a keytab work correctly
on the same host from which you attempt to use kadmin with the keytab?

---Tom
Download (untitled) / with headers
text/plain 1.6KiB
[tlyu - Mon Mar 21 15:54:15 2005]:

Show quoted text
> >>>>> "jd" == Public Submitter via RT <rt-comment@krbdev.mit.edu> writes:
>
> jd> [guest - Wed Mar 16 14:15:31 2005]:
> >>
> >> As I was saying (sorry about the previous "submit")...
> >>
> >> It seems like this fix breaks kadmin auth. with keytab. For example:
> >>
> >> # kadmin -p host/binky.foonon.com -k -t /etc/krb5.keytab
> >> Authenticating as principal host/binky.foonon.com with
> >> keytab /etc/krb5.keytab.
> >> kadmin: Cannot find KDC for requested realm while initializing kadmin
> >> interface
> >>
> >> jd
>
> jd> Also, this seems to not happen when the kadmin server is running on a
> jd> pre-1.4 KDC
>
> This seems like it may be a bug exposed due to a misconfigured
> domain_realm mapping. Are the pre-1.4 KDC and the 1.4 KDC running on
> the same host? Does the kadmin client without a keytab work correctly
> on the same host from which you attempt to use kadmin with the keytab?
>
> ---Tom


I had the sense of things messed up, sorry. What I *meant* to say is
that it *doesn't* happen when the kadmin server is using RPCSEC_GSS.

I'm working in two different Kerberos environments: one using a 1.28 MIT
KDC, the other using a Solaris 10 KDC.

With the 'kadmin classic' server (v1.28, patched), and the new (1.4
patched) kadmin client, "kadmin -k" would fail, but "kadmin -O -k" would
work just fine (while password and ccache auth would work without the
"-O"). On the same system, connecting to the same kadmind, a v1.35
kadmin would work just fine in all three cases.

I'll double-check the domain_realm mapping, but I'm fairly certain that
it's okay since everything else works.

jd
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2913] client kadm5_init incompatible with pre-1.4
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 22 Mar 2005 17:54:42 -0500
RT-Send-Cc:
Show quoted text
>>>>> "jd" == Public Submitter via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text
jd> With the 'kadmin classic' server (v1.28, patched), and the new (1.4
jd> patched) kadmin client, "kadmin -k" would fail, but "kadmin -O -k" would
jd> work just fine (while password and ccache auth would work without the
jd> "-O"). On the same system, connecting to the same kadmind, a v1.35
jd> kadmin would work just fine in all three cases.

Ok, it turns out that the kadmin fallback change unmasked a bug in
get_init_creds_keytab() that was resulting in a bogus
KRB5_REALM_UNKNOWN error.

---Tom
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.98.4.3 -r1.98.4.4 krb5/doc/ChangeLog
cvs diff -r1.38 -r1.38.26.1 krb5/doc/kadm5/api-unit-test.tex
cvs diff -r1.89 -r1.89.4.1 krb5/src/kadmin/cli/ChangeLog
cvs diff -r1.9 -r1.9.4.1 krb5/src/kadmin/cli/kadmin.M
cvs diff -r1.64 -r1.64.4.1 krb5/src/kadmin/cli/kadmin.c
cvs diff -r1.39 -r1.39.4.1 krb5/src/kadmin/testing/util/ChangeLog
cvs diff -r1.22 -r1.22.4.1 krb5/src/kadmin/testing/util/tcl_kadm5.c
cvs diff -r1.54 -r1.54.4.1 krb5/src/lib/kadm5/admin.h
cvs diff -r1.57 -r1.57.2.1 krb5/src/lib/kadm5/clnt/ChangeLog
cvs diff -r1.28 -r1.28.2.1 krb5/src/lib/kadm5/clnt/client_init.c
cvs diff -r1.61 -r1.61.4.1 krb5/src/lib/kadm5/unit-test/ChangeLog
cvs diff -r1.18 -r1.18.8.1
krb5/src/lib/kadm5/unit-test/api.2/init-v2.exp
cvs diff -r1.70.6.2 -r1.70.6.3
krb5/src/tests/dejagnu/krb-standalone/ChangeLog
cvs diff -r1.22.8.1 -r1.22.8.2
krb5/src/tests/dejagnu/krb-standalone/kadmin.exp