[24390] in Kerberos

home help back first fref pref prev next nref lref last post

Problem with libkadm5clnt.so after upgrade to 1.4.1

daemon@ATHENA.MIT.EDU (Utente amministrativo)
Tue Aug 2 08:29:02 2005

Date: Tue, 2 Aug 2005 13:33:08 +0200
From: Utente amministrativo <admin@betty.dei.unipd.it>
To: kerberos@mit.edu
Message-ID: <20050802113308.GA26818@betty.dei.unipd.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu

Hello 
we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1 
my scripts for users creation/change don't work anymore.
They are based on 'kadmin' utility or perl module Authen::Krb5::Admin 
for remote management on the kerberos and LDAP db.
As user/admin@REALM I am used to do only
'kinit user/admin@REALM' 
to grant me LDAP and KERBEROS admin access.
All scripts then use the KRB5CCNAME file.
Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
refuse to try to use existing krbtgt/REALM@REALM to get the mandatory 
kadmin/krbserver.domain@REALM service ticket.
If I do a 'kinit -s kadmin/admin user/admin' it works but
then I can't use that service ticket to access LDAP.
Replacing libkadm5clnt.so with previuos 1.4 version fixes it
and after a run of init_with_creds my cache file correctly contains:
08/02/05 12:56:20  08/03/05 12:56:20  krbtgt/REALM@REALM
08/02/05 12:56:28  08/03/05 12:56:20  kadmin/krbserver.domain@REALM
08/02/05 12:56:28  08/03/05 12:56:20  ldap/krbserver.domain@REALM

Sources' Changelog file helps me to concentrate on
krb5-1.4.1/src/lib/kadm5/clnt/client_init.c
After some deep investigation with DDD (you know, it's summertime
and sysadmin have a lot of sparetime ;)
seems that the section starting from line 434:
     code = kadm5_gic_iter(handle, init_type, ccache,
                           client, pass, svcname, realm,
                           full_svcname, full_svcname_len);
     if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
          || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
          /* Retry with old host-independent service princpal. */
          code = kadm5_gic_iter(handle, init_type, ccache,
                                client, pass,
                                KADM5_ADMIN_SERVICE, realm,
                                full_svcname, full_svcname_len);
     }

check only for existing kadmin/fqdn@REALM or (fallback) kadmin/admin@REALM   
and obviously return an error. The embarassing thing is that if I create
a cache with 1.4 libkadm5clnt.so it is gladly accepted by 1.4.1 libkadm5clnt.so  
I am not a kerberos guru so there could be something wrong
in my configuration or in my way of understanding Kerberos philosophy.

Any feedback will be appreciated.

    Regards 
        Valerio Pulese


--		admin@dei.unipd.it
--
-
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post