[24390] in Kerberos
Problem with libkadm5clnt.so after upgrade to 1.4.1
daemon@ATHENA.MIT.EDU (Utente amministrativo)
Tue Aug 2 08:29:02 2005
Date: Tue, 2 Aug 2005 13:33:08 +0200
From: Utente amministrativo <admin@betty.dei.unipd.it>
To: kerberos@mit.edu
Message-ID: <20050802113308.GA26818@betty.dei.unipd.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu
Hello
we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1
my scripts for users creation/change don't work anymore.
They are based on 'kadmin' utility or perl module Authen::Krb5::Admin
for remote management on the kerberos and LDAP db.
As user/admin@REALM I am used to do only
'kinit user/admin@REALM'
to grant me LDAP and KERBEROS admin access.
All scripts then use the KRB5CCNAME file.
Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
refuse to try to use existing krbtgt/REALM@REALM to get the mandatory
kadmin/krbserver.domain@REALM service ticket.
If I do a 'kinit -s kadmin/admin user/admin' it works but
then I can't use that service ticket to access LDAP.
Replacing libkadm5clnt.so with previuos 1.4 version fixes it
and after a run of init_with_creds my cache file correctly contains:
08/02/05 12:56:20 08/03/05 12:56:20 krbtgt/REALM@REALM
08/02/05 12:56:28 08/03/05 12:56:20 kadmin/krbserver.domain@REALM
08/02/05 12:56:28 08/03/05 12:56:20 ldap/krbserver.domain@REALM
Sources' Changelog file helps me to concentrate on
krb5-1.4.1/src/lib/kadm5/clnt/client_init.c
After some deep investigation with DDD (you know, it's summertime
and sysadmin have a lot of sparetime ;)
seems that the section starting from line 434:
code = kadm5_gic_iter(handle, init_type, ccache,
client, pass, svcname, realm,
full_svcname, full_svcname_len);
if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
|| code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
/* Retry with old host-independent service princpal. */
code = kadm5_gic_iter(handle, init_type, ccache,
client, pass,
KADM5_ADMIN_SERVICE, realm,
full_svcname, full_svcname_len);
}
check only for existing kadmin/fqdn@REALM or (fallback) kadmin/admin@REALM
and obviously return an error. The embarassing thing is that if I create
a cache with 1.4 libkadm5clnt.so it is gladly accepted by 1.4.1 libkadm5clnt.so
I am not a kerberos guru so there could be something wrong
in my configuration or in my way of understanding Kerberos philosophy.
Any feedback will be appreciated.
Regards
Valerio Pulese
-- admin@dei.unipd.it
--
-
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos