Skip Menu |
 

Download (untitled) / with headers
text/plain 11.5KiB
From tls@panix.com Tue Feb 2 15:34:50 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA02383 for <bugs@RT-11.MIT.EDU>; Tue, 2 Feb 1999 15:34:49 -0500
Received: from mail1.panix.com by MIT.EDU with SMTP
id AA11339; Tue, 2 Feb 99 15:34:23 EST
Received: from panix7.panix.com (root@panix7.nyc.access.net [166.84.0.232])
by mail1.panix.com (8.8.8/8.8.8/PanixM1.3) with ESMTP id PAA01570
for <krb5-bugs@mit.edu>; Tue, 2 Feb 1999 15:34:42 -0500 (EST)
Received: (from tls@localhost) by panix7.panix.com (8.8.8/8.7.1/PanixN1.0) id PAA05286; Tue, 2 Feb 1999 15:34:42 -0500 (EST)
Message-Id: <199902022034.PAA05286@panix7.panix.com>
Date: Tue, 2 Feb 1999 15:34:42 -0500 (EST)
From: Thor Lancelot Simon <tls@panix.com>
Reply-To: tls@rek.tjls.com
To: krb5-bugs@MIT.EDU
In-Reply-To: <796i41$j2c$1@panix7.panix.com>
Subject: kadmind "fix" for multiple realms in one KDC (fwd)

Show quoted text
>Number: 687
>Category: krb5-admin
>Synopsis: kadmind "fix" for multiple realms in one KDC (fwd)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Feb 02 15:35:01 EST 1999
>Last-Modified: Fri Sep 14 11:56:48 EDT 2001
>Originator: Thor Lancelot Simon <tls@panix.com>
>Organization:

Thor Lancelot Simon tls@rek.tjls.com
"And where do all these highways go, now that we are free?"

Show quoted text
>Release:
>Environment:
>Description:
Show quoted text
------- start of forwarded message -------
Path: news.panix.com!panix7.panix.com!not-for-mail
From: tls@panix.com (Thor Lancelot Simon)
Newsgroups: comp.protocols.kerberos
Subject: kadmind "fix" for multiple realms in one KDC
Date: 2 Feb 1999 04:56:17 -0500
Organization: PANIX -- Public Access Networks Corp.
Lines: 276
Message-ID: <796i41$j2c$1@panix7.panix.com>
Reply-To: tls@rek.tjls.com
NNTP-Posting-Host: panix7.nyc.access.net
X-Trace: news.panix.com 917949377 26276 166.84.0.232 (2 Feb 1999 09:56:17 GMT)
X-Complaints-To: usenet@panix.com
NNTP-Posting-Date: 2 Feb 1999 09:56:17 GMT
Xref: news.panix.com comp.protocols.kerberos:10934

I haven't been able to run multiple realms in one KDC because of kadmind
and kpasswd client lossage -- basically, there's no simple way to change
the kpasswd port for many clients, and kadmind itself is basically almost
irretrievably broken for multiple realms in one copy of kadmind, so it's
not possible to run a single kadmind on the default ports to provide
kadmin and kpasswd ("chpw") service for clients in multiple realms.

Per Marc Horowitz' suggestion, I've implemented "kadmind_addr" and
"kpasswd_addr" (not "kpasswdd" because there's already a separate "v5passwdd"
which is totally different -- "kpasswd_addr" is used by kadmind) parameters
per-realm in kdc.conf, and a single "-addr" command-line flag to kadmind
which sets the address used for both.

This makes it possible to run multiple copies of kadmind bound to multiple
addresses (typically interface aliases, on lo0 on my test kdc which has
Many) on the same KDC. This is stupid but it looks like the best we'll get
without a major rewrite of kadmind.

I've been keeping a TODO file for src/kadmin/server; here's what I've got
for the multiple-realms problem. After looking at it again I still think
C) is hard.

| 1) Fix for multiple realms.
|
| It *looks like* what will be required is this:
|
| It's all in ovsec_kadmd.c. Basically, we need to carry around
| a set of parameters, and a set of contexts *for each realm*.
|
| A) look at how the kdc does this.
|
| B) eliminate use of globals -- or, if that's not possible, at
| least make the globals arrays of contexts/params.
|
| C) figure out some way to pick the right context when we get
| a packet -- doubtless the hardest part!

Aside from the really annoying problem with use of "local_realm" in the KDC
v4 compatibility code, now my multiple-realm KDC appears to work completely
right. And I've ditched my v4 clients, so I don't really care.

The following patch is against krb5-current as of 19981026. The first
segment fixes an unrelated problem as of that date, which is that krb5.h
depended on profile.h, which was not installed.

Index: include/Makefile.in
===================================================================
RCS file: /cvsroot/security/krb5-19981026/src/include/Makefile.in,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -c -r1.1.1.1 -r1.2
*** Makefile.in 1998/11/22 00:13:42 1.1.1.1
--- Makefile.in 1998/11/22 02:43:26 1.2
***************
*** 70,74 ****
cd ..
@echo Making clean in include

! install:: krb5.h
$(INSTALL_DATA) krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h
--- 70,75 ----
cd ..
@echo Making clean in include

! install:: krb5.h profile.h
$(INSTALL_DATA) krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h
+ $(INSTALL_DATA) profile.h $(DESTDIR)$(KRB5_INCDIR)$(S)profile.h
Index: kadmin/server/ovsec_kadmd.c
===================================================================
RCS file: /cvsroot/security/krb5-19981026/src/kadmin/server/ovsec_kadmd.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -c -r1.1.1.1 -r1.2
*** ovsec_kadmd.c 1998/11/22 00:13:48 1.1.1.1
--- ovsec_kadmd.c 1999/02/02 09:31:18 1.2
***************
*** 100,106 ****
void usage()
{
fprintf(stderr, "Usage: kadmind [-r realm] [-m] [-nofork] "
! "[-port port-number]\n");
exit(1);
}

--- 100,106 ----
void usage()
{
fprintf(stderr, "Usage: kadmind [-r realm] [-m] [-nofork] "
! "[-port port-number] [-addr bind-address] [-chpw chpw-port]\n");
exit(1);
}

***************
*** 158,163 ****
--- 158,178 ----
usage();
params.kadmind_port = atoi(*argv);
params.mask |= KADM5_CONFIG_KADMIND_PORT;
+ } else if(strcmp(*argv, "-addr") == 0) {
+ argc--; argv++;
+ if(!argc)
+ usage();
+ if((params.kadmind_addr = inet_addr(*argv)) <= 0)
+ usage();
+ params.kpasswd_addr = inet_addr(*argv);
+ params.mask |= KADM5_CONFIG_KADMIND_ADDR;
+ params.mask |= KADM5_CONFIG_KPASSWD_ADDR;
+ } else if(strcmp(*argv, "-chpw") == 0) {
+ argc--; argv++;
+ if(!argc)
+ usage();
+ params.kpasswd_port = atoi(*argv);
+ params.mask |= KADM5_CONFIG_KPASSWD_PORT;
} else
break;
argc--; argv++;
***************
*** 216,222 ****

memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
! addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(params.kadmind_port);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
--- 231,239 ----

memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
! addr.sin_addr.s_addr = params.kadmind_addr;
! if (addr.sin_addr.s_addr == NULL)
! addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(params.kadmind_port);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
***************
*** 282,288 ****
#endif /* SO_REUSEADDR */
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
! addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(params.kadmind_port);

if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
--- 299,307 ----
#endif /* SO_REUSEADDR */
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
! addr.sin_addr.s_addr = params.kadmind_addr;
! if(addr.sin_addr.s_addr == NULL)
! addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(params.kadmind_port);

if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
***************
*** 320,327 ****
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
! addr.sin_addr.s_addr = INADDR_ANY;
! /* XXX */
addr.sin_port = htons(params.kpasswd_port);

if (bind(schpw, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
--- 339,347 ----
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
! addr.sin_addr.s_addr = params.kpasswd_addr;
! if(addr.sin_addr.s_addr == NULL)
! addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(params.kpasswd_port);

if (bind(schpw, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
Index: lib/kadm5/admin.h
===================================================================
RCS file: /cvsroot/security/krb5-19981026/src/lib/kadm5/admin.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -c -r1.1.1.1 -r1.2
*** admin.h 1998/11/22 00:13:06 1.1.1.1
--- admin.h 1999/02/02 09:31:18 1.2
***************
*** 1,7 ****
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
! * $Header: /cvsroot/security/krb5-19981026/src/lib/kadm5/admin.h,v 1.1.1.1 1998/11/22 00:13:06 tls Exp $
*/

#ifndef __KADM5_ADMIN_H__
--- 1,7 ----
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
! * $Header: /cvsroot/security/krb5-19981026/src/lib/kadm5/admin.h,v 1.2 1999/02/02 09:31:18 tls Exp $
*/

#ifndef __KADM5_ADMIN_H__
***************
*** 95,100 ****
--- 95,102 ----
#define KADM5_CONFIG_DICT_FILE 0x020000
#define KADM5_CONFIG_MKEY_FROM_KBD 0x040000
#define KADM5_CONFIG_KPASSWD_PORT 0x080000
+ #define KADM5_CONFIG_KADMIND_ADDR 0x100000
+ #define KADM5_CONFIG_KPASSWD_ADDR 0x200000

/*
* permission bits
***************
*** 189,194 ****
--- 191,199 ----
char * profile;
int kadmind_port;
int kpasswd_port;
+
+ krb5_ui_4 kadmind_addr;
+ krb5_ui_4 kpasswd_addr;

char * admin_server;

Index: lib/kadm5/alt_prof.c
===================================================================
RCS file: /cvsroot/security/krb5-19981026/src/lib/kadm5/alt_prof.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -c -r1.1.1.1 -r1.2
*** alt_prof.c 1998/11/22 00:13:06 1.1.1.1
--- alt_prof.c 1999/02/02 09:31:18 1.2
***************
*** 487,493 ****
params.mask |= KADM5_CONFIG_KPASSWD_PORT;
}
}
!
/* Get the value for the master key name */
hierarchy[2] = "master_key_name";
if (params_in->mask & KADM5_CONFIG_MKEY_NAME) {
--- 487,519 ----
params.mask |= KADM5_CONFIG_KPASSWD_PORT;
}
}
!
! if (! (params.mask & KADM5_CONFIG_KADMIND_ADDR)) {
! hierarchy[2] = "kadmind_addr";
! if (params_in->mask & KADM5_CONFIG_KADMIND_ADDR) {
! params.mask |= KADM5_CONFIG_KADMIND_ADDR;
! params.kadmind_addr = params_in->kadmind_addr;
! } else if (aprofile &&
! !krb5_aprof_get_string(aprofile, hierarchy, TRUE,
! &svalue)) {
! params.kadmind_addr = inet_addr(svalue);
! params.mask |= KADM5_CONFIG_KADMIND_ADDR;
! }
! }
!
! if (! (params.mask & KADM5_CONFIG_KPASSWD_ADDR)) {
! hierarchy[2] = "kpasswd_addr";
! if (params_in->mask & KADM5_CONFIG_KPASSWD_ADDR) {
! params.mask |= KADM5_CONFIG_KPASSWD_ADDR;
! params.kpasswd_addr = params_in->kpasswd_addr;
! } else if (aprofile &&
! !krb5_aprof_get_string(aprofile, hierarchy, TRUE,
! &svalue)) {
! params.kpasswd_addr = inet_addr(svalue);
! params.mask |= KADM5_CONFIG_KPASSWD_ADDR;
! }
! }
!
/* Get the value for the master key name */
hierarchy[2] = "master_key_name";
if (params_in->mask & KADM5_CONFIG_MKEY_NAME) {
>How-To-Repeat:
>Fix:
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Fri Sep 14 11:56:08 2001
Responsible-Changed-Why:
reformat/refile
>Unformatted:
We aren't going to put effort into multiple realms in one KDC for now.