Skip Menu |
 

Download (untitled) / with headers
text/plain 5.8KiB
From d.h.davis@bath.ac.uk Wed Jun 6 12:05:01 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id MAA16566
for <bugs@RT-11.mit.edu>; Wed, 6 Jun 2001 12:05:00 -0400 (EDT)
Received: from pat.bath.ac.uk (exim@pat.bath.ac.uk [138.38.32.2])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA14348
for <krb5-bugs@mit.edu>; Wed, 6 Jun 2001 12:05:00 -0400 (EDT)
Received: from ancho.bath.ac.uk
([138.38.52.202] helo=bath.ac.uk ident=jzdziomz1jdnubltices)
by pat.bath.ac.uk with smtp (Exim 3.12 #1)
id 157fnn-0006xe-00
for krb5-bugs@mit.edu; Wed, 06 Jun 2001 17:04:59 +0100
Received: (from ccsdhd@localhost) by ancho.bath.ac.uk id aa13860 ;
6 Jun 2001 17:04 +0100
Message-Id: <200106061704.aa13860@ancho.bath.ac.uk>
Date: Wed, 6 Jun 2001 17:04:58 +0100 (BST)
From: Dennis Davis <D.H.Davis@bath.ac.uk>
Sender: D.H.Davis@bath.ac.uk
Reply-To: Dennis Davis <D.H.Davis@bath.ac.uk>
To: krb5-bugs@mit.edu
Cc: Dennis Davis <D.H.Davis@bath.ac.uk>
Subject: Problems initialising a KerberosV database.
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 964
>Category: krb5-admin
>Synopsis: Problems initialising a KerberosV database.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Jun 6 12:06:01 EDT 2001
>Last-Modified:
>Originator: Dennis Davis
>Organization:
Bath University Computing Services, UK
Show quoted text
>Release: krb5-1.2.2
>Environment:

System: OpenBSD ancho.bath.ac.uk 2.8 ANCHO#0 i386


Show quoted text
>Description:
I'm trying to set up krb5-1.2.2 on an OpenBSD2.8 system. I've
configured it with:

configure --with-cc=cc --with-ccopts=-O2 --prefix=/kerberosV \
--enable-dns-for-realm --with-krb4 \
--with-tcl=/usr/local --enable-shared

and, with a slight change to the source, it compiles & installs OK.

I have an /etc/krb5.conf of:


[libdefaults]
clockskew = 300
default_realm = BATH.AC.UK
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
krb4_srvtab = /etc/srvtab
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms

[realms]
BATH.AC.UK = {
kdc = ancho.bath.ac.uk:88
admin_server = ancho.bath.ac.uk:749
default_domain = bath.ac.uk
}

[domain_realm]
.bath.ac.uk = BATH.AC.UK

[login]
krb5_get_tickets = true
krb4_get_tickets = true

[kdc]
profile = /kerberosV/var/krb5kdc/kdc.conf

[logging]
kdc = FILE:/kerberosV.logs/krb5kdc.log
admin_server = FILE:/kerberosV.logs/kadmin.log
default = FILE:/kerberosV.logs/kr5lib.log


and a /kerberosV/var/krb5kdc/kdc.conf of:


[kdcdefaults]
kdc_ports = 88,750
v4_mode = nopreauth

[realms]
BATH.AC.UK = {
database_name = /kerberosV/var/krb5kdc/principal
admin_keytab = /kerberosV/var/krb5kdc/kadm5.keytab
acl_file = /kerberosV/var/krb5kdc/kadm5.acl
dict_file = /kerberosV/var/krb5kdc/kadm5.dict
key_stash_file = /kerberosV/var/krb5kdc/.k5.BATH.AC.UK
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
}

[logging]
kdc = FILE:/kerberosV.logs/krb5kdc.log
admin_server = FILE:/kerberosV.logs/kadmin.log
default = FILE:/kerberosV.logs/kr5lib.log


When I create a fresh database with the above, I get:


root) ?// /kerberosV/sbin/kdb5_util create -r BATH.AC.UK -s
Initializing database '/kerberosV/var/krb5kdc/principal' for realm 'BATH.AC.UK',
master key name 'K/M@BATH.AC.UK'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: No such file or directory while initializing the kerberos context


and when I attempt to edit the database using kadmin.local it
immediately bombs out:


(root) ?// /kerberosV/sbin/kadmin.local
Authenticating as principal root/admin@BATH.AC.UK with password.
kadmin.local: No such file or directory while initializing kadmin.local interface


It seems to me that that there is some confusion here. The machine
hasn't recognised that it is the KerberosV server and is expecting
to contact one somewhere else. If I change the master_key_type in
kdc.conf to des-cbc-crc, everything works a treat:


(root) ?// ex kdc.conf
kdc.conf: unmodified: line 23
:15p
master_key_type = des3-hmac-sha1
:s/des3-hmac-sha1/des-cbc-crc
master_key_type = des-cbc-crc
:w
kdc.conf: 23 lines, 827 characters
:q
(root) ?// /kerberosV/sbin/kdb5_util create -r BATH.AC.UK -s
Initializing database '/kerberosV/var/krb5kdc/principal' for realm 'BATH.AC.UK',
master key name 'K/M@BATH.AC.UK'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
(root) ?// /kerberosV/sbin/kadmin.local
Authenticating as principal root/admin@BATH.AC.UK with password.
kadmin.local:


I apologise for the wordiness of the above. I'm trying to explain
as clearly as possible what I'm seeing. It's slightly annoying
not being able to use des3-hmac-sha1 for the master key. However
it's hardly crucial; des-cbc-crc should be good enough especlally
as access to the KerberosV server should be physically and
computationally restricted.

I don't think that this is a problem with the operating system
and/or version of gcc. OpenBSD2.8 uses gcc 2.95.3 as its compiler.
I get similar problems on a Solaris2.5.1 box using gcc 2.8.1.
Show quoted text
>How-To-Repeat:
See above.
Show quoted text
>Fix:
Use a master key type of des-cbc-crc.
Show quoted text
>Audit-Trail:
>Unformatted:
Unable to use a master key type of des3-hmac-sha1.
Surprisingly enough, still a bug, though the error message is less
cryptic these days. Basically the kdb_init_hist() in
lib/kadm5/srv/server_kdb.c expects that the history principal has a key
of the same enctype as the master key, which isn't necessarily the case,
especially where master_key_enctype is not in supported_enctypes. The
process of creating the history principal uses supported_enctypes, just
like all of libkadm5's principal creations do by default.

The creation of the history principal should probably explicitly use the
master key's enctype.
From: tlyu@mit.edu
Subject: CVS Commit
* server_kdb.c (kdb_init_hist): Force history principal's key to
be of the same enctype as the master key, as searches for it later
on explicitly specify the enctype.


To generate a diff of this commit:



cvs diff -r1.77 -r1.78 krb5/src/lib/kadm5/srv/ChangeLog
cvs diff -r1.3 -r1.4 krb5/src/lib/kadm5/srv/server_kdb.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.76.2.1 -r1.76.2.2 krb5/src/lib/kadm5/srv/ChangeLog
cvs diff -r1.3 -r1.3.4.1 krb5/src/lib/kadm5/srv/server_kdb.c