Skip Menu |
 

Date: Thu, 20 Sep 2012 18:01:43 -0400
From: "Jeff D'Angelo" <jcd@psu.edu>
To: krb5-bugs@mit.edu
Subject: krb5-admin doc update: kdb5_util dump -ov no longer needed for per-princ policy info
Download (untitled) / with headers
text/plain 4.2KiB
Show quoted text
>Submitter-Id: net
>Originator: Jeff D'Angelo <jcd@psu.edu>
>Organization: The Pennsylvania State University
>Confidential: no
>Synopsis: krb5-admin doc outdated; `kdb5_util dump -ov` no longer
required for per-princ policy info
Show quoted text
>Severity: non-critical
>Priority: low
>Category: krb5-doc
>Class: doc-bug
>Release: suspect affects all between 1.2.2 and 1.10.3, verified
1.10.2
Show quoted text
>Environment: suspect all, verified Linux
System: Linux fedorashin 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18
12:47:50 EDT 2009 i686 i686 i386 GNU/Linux
Architecture: i686

Show quoted text
>Description:
In doc/krb5-admin.html of the kerberos tarball, section
Dumping-a-Kerberos-Database-to-a-File, the documentation declares
that the only way to preserve per-principal policy information
is to create a second dump file using the -ov switch as well
as a normal default dump with no options; that this "bug" [1]
is still current. Between a review of the code [2], primarily
src/kadmin/dbutil/kdb5_util.c and src/kadmin/dbutil/dump.c,
and experimental dumps and loads on version 1.10.2, it appears
that dump formats "kdb5_util load_dump version 6", the default
since krb5-1.8, and "kdb5_util load_dump version 5", the default
between krb5-1.2.2 and krb5-1.7.2 and available via the -r13
switch in later versions, both contain this per-principal policy
information. Thus I conclude that the documentation has been
out of date since krb5-1.2.2 and should be updated.

Show quoted text
>How-To-Repeat:
1) Create or locate a krb5kdc database with some principals
with policies set.
2) Create a "regular" dump file from this database via
`kdb5_util dump <filename>`
3) Create an ovsec_adm_export dump file via `kdb5_util dump -ov
<filename>`
4) Create a new krb5kdc database with `kdb5_util create -s -r
<realm-name>` [3]
5) Load the regular dump file via `kdb5_util load <filename>`
6) Load the ovsec_adm_export dump file via `kdb5_util load
-update <filename>`
7) Examine the new database for per-policy information and
compare to old via:
7a) kadmin: getprinc <principal-name>
and
7b) Perform a dump in every format from the original and new
databases and then run a diff(1) between files of
corresponding format.

Repeat this process steps #2 and later using the -r13, -b7,
-b6 and -old switches to the `kdb5_util dump` command in step #2.

The "bug" [1] was found to be still present in versions -b6 and
-b7,
but not in -r13 and the default. No difference was detected
between the database dumps when -r13 and the default (no switch)
formats were used in step #2 [4].

Show quoted text
>Fix:
Change the doc/krb5-admin.html documentation to remove these
statements:

Show quoted text
> Currently, the only way to preserve per-principal policy information
is to use this in conjunction with a normal dump.

and

Show quoted text
> There is currently a bug where the default dump format omits the
> per-principal policy information. In order to dump all the data contained
> in the Kerberos database, you must perform a normal dump (with no option
> flags) and an additional dump using the "-ov" flag to a different file.

Optional: Include a statement to the fact that this was
corrected in krb5-1.2.2, such as:

Show quoted text
> Note: Per-principal policy information was not included in the
default dump format until
Show quoted text
> krb5-1.2.2 (-r13 and newer).


[1] Referenced in "There is currently a bug where the default
dump format omits the per-principal policy
information." at the end of doc/krb5-admin.html, section
Dumping-a-Kerberos-Database-to-a-File.

[2] From versions krb5-1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.5, 1.2.8, 1.3,
1.7.2, 1.8, 1.10.2, 1.10.3.

[3] In a new folder, or otherwise preserve the old database from
step #1.

[4] Admittedly, I did not set automatic lockout due to failed
attempts on principals in the original database, or else I
would expect a difference in the latest default format when
-r13 was used to transfer it.

--
Jeff
Date: Thu, 21 Nov 2013 12:38:28 -0500
From: "Jeff D'Angelo" <jcd@psu.edu>
To: krb5-bugs@mit.edu
Subject: Re: krb5-admin doc update: kdb5_util dump -ov no longer needed for per-princ policy info [krbdev.mit.edu #7365]
RT-Send-Cc:
It appears that this was resolved in version 1.11 (last affected 1.10.7)
as the krb5-admin document is no longer in the source tarball, at least
not in the form it used to be. I cannot find the statements anywhere in
the tarball since 1.11; doc/html/admin/database.html appears correctly
silent in this regard.

This ticket may be resolved as far as I am concerned. Thanks.

--
Jeff