From aidan@panix.com Fri Dec 5 15:23:44 1997
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA09541 for <bugs@RT-11.MIT.EDU>; Fri, 5 Dec 1997 15:23:43 -0500
Received: from mail2.panix.com by MIT.EDU with SMTP
id AA21905; Fri, 5 Dec 97 15:23:34 EST
Received: from juggler.nfs100.access.net (juggler.panix.com [198.7.0.31])
by mail2.panix.com (8.8.8/8.8.8/PanixM1.3) with ESMTP id PAA26786;
Fri, 5 Dec 1997 15:23:29 -0500 (EST)
Received: (from root@localhost) by juggler.nfs100.access.net (8.8.5/8.7.1/PanixN1.0) id PAA02368; Fri, 5 Dec 1997 15:23:29 -0500 (EST)
Message-Id: <199712052023.PAA02368@juggler.nfs100.access.net>
Date: Fri, 5 Dec 1997 15:23:29 -0500 (EST)
From: aidan@panix.com
Reply-To: aidan@panix.com
To: krb5-bugs@MIT.EDU
Cc: aidan@panix.com
Subject: kadmind4 does not work with krb5
X-Send-Pr-Version: 3.99
System: NetBSD juggler.nfs100.access.net 1.2 NetBSD 1.2 (JUGGLER) #0: Mon Oct 27 20:41:16 EST 1997 marcotte@juggler.nfs100.access.net:/usr/hlocal/panix-src/newest/src/sys/arch/i386/compile/JUGGLER i386
gethostname(). This should be INADDR_ANY (0.0.0.0). This barfed in
our setup where the local host name is different from the hostnames in
all our krb.conf files.
Once this problem was fixed, kadmind4 attempted to communicate with
kadmind or krb5kdc (didn't spend enough time looking through the code
to figure this out) with a tgt for ovsec_adm/(admin|changepw), but
attempting to decrypt a ticket for kadmin/(admin|changepw) (or
something like that.. something was barfing on the server pointed to
by the ticket being different from the server pointed to by the tgt).
kadmind4 had to be modified to obtain a tgt for
kadmin/(admin|changepw). When this got fixed, it started responding
appropriately to requests, but it still sends back requests that the
client end thinks have been modified in transit.
memcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr,
sizeof(server_parm.admin_addr.sin_addr.s_addr));
line.
Edit src/kadmin/v4server/admin_server.c, change the
ovsec_kadm_init_with_skey line to look like
retval = ovsec_kadm_init_with_skey(service_name,
params.admin_keytab,
KADM5_ADMIN_SERVICE, krbrlm,
KADM5_STRUCT_VERSION,
KADM5_API_VERSION_1,
&ovsec_handle);
It would also be nice to have some docs for kadmind4. Is this program
supported at all?
a way the client can understand.
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA09541 for <bugs@RT-11.MIT.EDU>; Fri, 5 Dec 1997 15:23:43 -0500
Received: from mail2.panix.com by MIT.EDU with SMTP
id AA21905; Fri, 5 Dec 97 15:23:34 EST
Received: from juggler.nfs100.access.net (juggler.panix.com [198.7.0.31])
by mail2.panix.com (8.8.8/8.8.8/PanixM1.3) with ESMTP id PAA26786;
Fri, 5 Dec 1997 15:23:29 -0500 (EST)
Received: (from root@localhost) by juggler.nfs100.access.net (8.8.5/8.7.1/PanixN1.0) id PAA02368; Fri, 5 Dec 1997 15:23:29 -0500 (EST)
Message-Id: <199712052023.PAA02368@juggler.nfs100.access.net>
Date: Fri, 5 Dec 1997 15:23:29 -0500 (EST)
From: aidan@panix.com
Reply-To: aidan@panix.com
To: krb5-bugs@MIT.EDU
Cc: aidan@panix.com
Subject: kadmind4 does not work with krb5
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 510
>Category: krb5-misc
>Synopsis: The kadmind4 server will not accept connections, will not
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Dec 05 15:24:01 EST 1997
>Last-Modified:
>Originator: Aidan Cully
>Organization:
Public Access Networks>Category: krb5-misc
>Synopsis: The kadmind4 server will not accept connections, will not
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Dec 05 15:24:01 EST 1997
>Last-Modified:
>Originator: Aidan Cully
>Organization:
Show quoted text
>Release: krb5-1.0.2
>Environment:
i386, NetBSD 1.2>Environment:
System: NetBSD juggler.nfs100.access.net 1.2 NetBSD 1.2 (JUGGLER) #0: Mon Oct 27 20:41:16 EST 1997 marcotte@juggler.nfs100.access.net:/usr/hlocal/panix-src/newest/src/sys/arch/i386/compile/JUGGLER i386
Show quoted text
>Description:
when kadmind4 starts up, it binds to the address pointed to bygethostname(). This should be INADDR_ANY (0.0.0.0). This barfed in
our setup where the local host name is different from the hostnames in
all our krb.conf files.
Once this problem was fixed, kadmind4 attempted to communicate with
kadmind or krb5kdc (didn't spend enough time looking through the code
to figure this out) with a tgt for ovsec_adm/(admin|changepw), but
attempting to decrypt a ticket for kadmin/(admin|changepw) (or
something like that.. something was barfing on the server pointed to
by the ticket being different from the server pointed to by the tgt).
kadmind4 had to be modified to obtain a tgt for
kadmin/(admin|changepw). When this got fixed, it started responding
appropriately to requests, but it still sends back requests that the
client end thinks have been modified in transit.
Show quoted text
>How-To-Repeat:
Run kadmind4.Show quoted text
>Fix:
Edit src/kadmin/v4server/kadm_ser_wrap.c, comment out thememcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr,
sizeof(server_parm.admin_addr.sin_addr.s_addr));
line.
Edit src/kadmin/v4server/admin_server.c, change the
ovsec_kadm_init_with_skey line to look like
retval = ovsec_kadm_init_with_skey(service_name,
params.admin_keytab,
KADM5_ADMIN_SERVICE, krbrlm,
KADM5_STRUCT_VERSION,
KADM5_API_VERSION_1,
&ovsec_handle);
It would also be nice to have some docs for kadmind4. Is this program
supported at all?
Show quoted text
>Audit-Trail:
>Unformatted:
talk to krb5 properly, and does not respond to the client in>Unformatted:
a way the client can understand.