[38009] in Kerberos

home help back first fref pref prev next nref lref last post

RE: A problem with kadm5_setkey_principal() using an LDAP backend

daemon@ATHENA.MIT.EDU (Lonigro, Frank A)
Thu Jun 22 11:04:32 2017

From: "Lonigro, Frank A" <franco@bu.edu>
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 22 Jun 2017 13:00:57 +0000
Message-ID: <CY4PR03MB2503150F311806DC83FBE868A0DB0@CY4PR03MB2503.namprd03.prod.outlook.com>
In-Reply-To: <42525a0b-1912-f333-85ec-890b96d6281a@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Greg,

This fixed the problem.  Thanks again for getting back to me.

-Frank

# diff -c /home/frank/rpmbuild/BUILD/krb5-1.10.3/src/lib/kadm5/srv/svr_principal.c.orig /home/frank/rpmbuild/BUILD/krb5-1.10.3/src/lib/kadm5/srv/svr_principal.c
*** /home/frank/rpmbuild/BUILD/krb5-1.10.3/src/lib/kadm5/srv/svr_principal.c.orig        2012-08-08 18:27:56.000000000 -0400
--- /home/frank/rpmbuild/BUILD/krb5-1.10.3/src/lib/kadm5/srv/svr_principal.c      2017-06-21 13:50:58.000000000 -0400
***************
*** 2058,2063 ****
--- 2058,2067 ----
      /* unlock principal on this KDC */
      kdb->fail_auth_count = 0;

+     /* key data changed, let the database provider know */
+     kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; /* Fix for LDAP backend */
+     /* | KADM5_RANDKEY_USED */;
+
      if ((ret = kdb_put_entry(handle, kdb, &adb)))
          goto done;


-----Original Message-----
From: Greg Hudson [mailto:ghudson@mit.edu] 
Sent: Monday, June 19, 2017 11:49 AM
To: Lonigro, Frank A <franco@bu.edu>; kerberos@mit.edu
Subject: Re: A problem with kadm5_setkey_principal() using an LDAP backend

On 06/19/2017 10:13 AM, Lonigro, Frank A wrote:
> We have an application that uses kadm5_setkey_principal() to set the key for a Kerberos account.  This application works fine on a KDC with a BDB backend, but fails to set the key on a KDC with an LDAP backend.
[...]
> Is this a known issue?

This was not a known issue, but I believe I can see the problem in the code.  In kadm5_randkey_principal_3(), there is a statement:

    kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;

which lets the KDB provider know what fields it should put into the database.  There is no corresponding statement in kadm5_setkey_principal_3().  The BDB KDB module doesn't care about the mask (it just serializes the whole principal entry no matter what), but the LDAP KDB module uses it to determine which attributes to change.

If you are prepared to rebuild the code, adding an identical kdb->mask assignment to kadm5_setkey_principal_3() just before the call to
kdb_put_entry() should fix your issue.  (In the master branch, the assignment would go in kadm5_setkey_principal_4().)

I will open a ticket for this bug.  Although I think the fix is trivial, testing it is not, so it may take me a bit to submit a PR.  As we only support releases for two years, we are only likely to backport the bugfix to 1.15 and 1.14 patch releases.

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post