[24434] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Problem with libkadm5clnt.so after upgrade to 1.4.1

daemon@ATHENA.MIT.EDU (Utente amministrativo)
Wed Aug 10 15:20:28 2005

Date: Wed, 10 Aug 2005 01:53:53 +0200
From: Utente amministrativo <admin@bella.dei.unipd.it>
To: Tom Yu <tlyu@mit.edu>
Message-ID: <20050809235353.GA3707@bella.dei.unipd.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ldv3bpki6tq.fsf@cathode-dark-space.mit.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

Hi

On Mon, Aug 08, 2005 at 03:09:37PM -0400, Tom Yu wrote:
> >>>>> "admin" == Utente amministrativo <admin@betty.dei.unipd.it> writes:
> 
> admin> we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1 
> admin> my scripts for users creation/change don't work anymore.
> admin> They are based on 'kadmin' utility or perl module Authen::Krb5::Admin 
> admin> for remote management on the kerberos and LDAP db.
> admin> As user/admin@REALM I am used to do only
> admin> 'kinit user/admin@REALM' 
> admin> to grant me LDAP and KERBEROS admin access.
> admin> All scripts then use the KRB5CCNAME file.
> admin> Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
> admin> refuse to try to use existing krbtgt/REALM@REALM to get the mandatory 
> admin> kadmin/krbserver.domain@REALM service ticket.
> 
> Could you please quote the exact error you get?

"Authenticating as principal user/admin@REALM with existing credentials.
 kadmin: Matching credential not found while initializing kadmin interface"

> admin> If I do a 'kinit -s kadmin/admin user/admin' it works but
> admin> then I can't use that service ticket to access LDAP.
> 
> I believe that using "kinit -s kadmin/admin user/admin" is the only
> way that's documented to work.  

It seems to me that when I connect with LDAP through GSSAPI 
I don't need a ticket for a particular service but only a user/admin
principal.
When I am authenticated as user/admin in a REALM it should be enough.
Policies and ACLs complete the security scheme.
Correct me if I am wrong but I believe that this is the way
ticket-granting tickets work.
However a future workaround would be to store differentservices tickets 
in two separate files:
one for LDAP and the other for KRB5 managing. 

> admin> Replacing libkadm5clnt.so with previuos 1.4 version fixes it
> admin> and after a run of init_with_creds my cache file correctly contains:
> admin> 08/02/05 12:56:20  08/03/05 12:56:20  krbtgt/REALM@REALM
> admin> 08/02/05 12:56:28  08/03/05 12:56:20  kadmin/krbserver.domain@REALM
> admin> 08/02/05 12:56:28  08/03/05 12:56:20  ldap/krbserver.domain@REALM
> 
> Your ability to get a kadmin/krbserver.domain@REALM ticket using a TGT
> indicates that your kadmin/krbserver.domain principal doesn't have the
> DISALLOW_TGT_BASED flag set, which should typically be the case for
> kadmin-related principals.
> 
> ---Tom

'getprinc kadmin/admin' says:
[...]
Attributes: DISALLOW_TGT_BASED
Policy: [none]

When things started not working I firstly try unsetting 
that flag (after reading krb5 API docs) but it
didn't fix the problem so I set it again to the default value.

Thanks in advance

	Valerio Pulese

-- 
--
--		admin@dei.unipd.it
--
-
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post