Ticket History #5658: kdc notify pws

# Fri Aug 17 15:51:56 2007 austinj (Austin Jennings) - Ticket created

From:	austinj@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 566B

Applying Apple patch:
LW+AJ-5146581_kdc_notify_pws.patch (krb5 portion only; kfm portion in a separate branch)

This allows the KDC to speak with the Apple passwordserver, which is necessary on Mac OS X.

Commit By: austinj

Revision: 19838
Changed Files:
U users/austinj/kdc_notify_pws/src/kdc/Makefile.in
U users/austinj/kdc_notify_pws/src/kdc/do_as_req.c
U users/austinj/kdc_notify_pws/src/kdc/extern.c
U users/austinj/kdc_notify_pws/src/kdc/extern.h
U users/austinj/kdc_notify_pws/src/kdc/main.c
A users/austinj/kdc_notify_pws/src/kdc/notify_pws.c

# Fri Aug 17 15:51:59 2007 austinj (Austin Jennings) - Requestor austinj (Austin Jennings) added

# Fri Aug 17 15:51:59 2007 austinj (Austin Jennings) - Status changed from 'new' to 'open'

# Fri Aug 24 16:57:11 2007 raeburn (Ken Raeburn) - Correspondence added

Download (untitled) / with headers
text/plain 227B

This could use a little more explanation too. What's it do? Are there protocol specs that should
be referenced?

Also, a plugin mechanism might be a better general approach than Apple-PWS-specific code in
the main KDC body.

# Wed Aug 29 01:18:31 2007 Austin Jennings <austin.jennings@apple.com> - Comments added

Date:	Tue, 28 Aug 2007 22:18:21 -0700
From:	Austin Jennings <austin.jennings@apple.com>
Subject:	Re: [krbdev.mit.edu #5658] kdc notify pws
To:	rt-comment@krbdev.mit.edu
RT-Send-Cc:

Download (untitled) / with headers
text/plain 490B

This is an Apple-specific mechanism for keeping Kerberos passwords
synchronized with other authentication mechanisms. Unfortunately,
there really isn't any documentation to cite here.

On Aug 24, 2007, at 1:57 PM, Ken Raeburn via RT wrote:

Show quoted text

> This could use a little more explanation too. What's it do? Are
> there protocol specs that should
> be referenced?
>
> Also, a plugin mechanism might be a better general approach than
> Apple-PWS-specific code in
> the main KDC body.

# Wed Sep 05 02:47:36 2007 raeburn (Ken Raeburn) - Correspondence added

From:	Ken Raeburn <raeburn@mit.edu>
Subject:	Re: [krbdev.mit.edu #5658] kdc notify pws
Date:	Wed, 5 Sep 2007 02:47:29 -0400
To:	rt@krbdev.mit.edu
RT-Send-Cc:

Download (untitled) / with headers
text/plain 772B

On Aug 29, 2007, at 01:18, Austin Jennings via RT wrote:

Show quoted text

> This is an Apple-specific mechanism for keeping Kerberos passwords
> synchronized with other authentication mechanisms. Unfortunately,
> there really isn't any documentation to cite here.

From looking at the patch, actually it doesn't look like it relates
to password synchronization, just ties in to some an account
management system for unspecified purposes. The code seems to have
about two lines of comments as to the purpose of these calls (at a
higher level than "send a line to the server").

(There is some password-synchronization code that lxs integrated a
few years ago for Apple, which at this point probably would also be
best made into a plugin, but that's another matter...)

Ken

# Wed Sep 05 03:07:54 2007 Austin Jennings <austin.jennings@apple.com> - Comments added

Date:	Wed, 05 Sep 2007 00:07:39 -0700
From:	Austin Jennings <austin.jennings@apple.com>
Subject:	Re: [krbdev.mit.edu #5658] kdc notify pws
To:	rt-comment@krbdev.mit.edu
CC:	Simon Cooper <scooper@apple.com>
RT-Send-Cc:

Download (untitled) / with headers
text/plain 1KiB

On Sep 4, 2007, at 23:47, Ken Raeburn via RT wrote:

Show quoted text

> On Aug 29, 2007, at 01:18, Austin Jennings via RT wrote:

>> This is an Apple-specific mechanism for keeping Kerberos passwords
>> synchronized with other authentication mechanisms. Unfortunately,
>> there really isn't any documentation to cite here.

>
> From looking at the patch, actually it doesn't look like it relates
> to password synchronization, just ties in to some an account
> management system for unspecified purposes. The code seems to have
> about two lines of comments as to the purpose of these calls (at a
> higher level than "send a line to the server").
>
> (There is some password-synchronization code that lxs integrated a
> few years ago for Apple, which at this point probably would also be
> best made into a plugin, but that's another matter...)
>
> Ken
>
>
>

This patch predates me, so I can only speculate that it's building on
top of the work that lxs did previously. I believe Simon Cooper has
some familiarity with this, so you may want to get in touch him and
see if he can offer some details.

# Thu Sep 06 19:06:06 2007 Austin Jennings <austin.jennings@apple.com> - Comments added

Date:	Thu, 06 Sep 2007 16:05:36 -0700
From:	Austin Jennings <austin.jennings@apple.com>
Subject:	Re: [krbdev.mit.edu #5658] kdc notify pws
To:	rt-comment@krbdev.mit.edu
RT-Send-Cc:

Download (untitled) / with headers
text/plain 969B

Download (untitled) / with headers
text/html 2.3KiB

Some information from Steven Simon:

Show quoted text

This command is not in the last spec.

The PasswordService daemon handles password replication and policies for us.

When a change comes in through Kerberos, we have the KDC notify the PasswordService

of the change.

PasswordService's protocol is a hack of the POP3 protocol. It's text-based with command + args.

The protocol for this command is:

AUTH KERBEROS-LOGIN-CHECK <principal> [? | + | - | !]

? = get current status, returns a status code for the user's current state
the values are in the patch (search for "// Reposonse Codes (used numerically)")
+ = kinit success
- = bad password
! = password changed

In past releases, we restricted access to "KERBEROS-LOGIN-CHECK" to localhost.
However, that approach proscribes shell accounts on the PasswordService system.
We've updated PasswordService to have a root-only named pipe for flexibility.

- Steve

# Wed Sep 09 23:27:21 2015 tlyu (Taylor Yu) - Status changed from 'open' to 'resolved'

# Wed Sep 09 23:27:21 2015 tlyu (Taylor Yu) - Tags noresource added