[24434] in Kerberos
Re: Problem with libkadm5clnt.so after upgrade to 1.4.1
daemon@ATHENA.MIT.EDU (Utente amministrativo)
Wed Aug 10 15:20:28 2005
Date: Wed, 10 Aug 2005 01:53:53 +0200
From: Utente amministrativo <admin@bella.dei.unipd.it>
To: Tom Yu <tlyu@mit.edu>
Message-ID: <20050809235353.GA3707@bella.dei.unipd.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ldv3bpki6tq.fsf@cathode-dark-space.mit.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Hi
On Mon, Aug 08, 2005 at 03:09:37PM -0400, Tom Yu wrote:
> >>>>> "admin" == Utente amministrativo <admin@betty.dei.unipd.it> writes:
>
> admin> we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1
> admin> my scripts for users creation/change don't work anymore.
> admin> They are based on 'kadmin' utility or perl module Authen::Krb5::Admin
> admin> for remote management on the kerberos and LDAP db.
> admin> As user/admin@REALM I am used to do only
> admin> 'kinit user/admin@REALM'
> admin> to grant me LDAP and KERBEROS admin access.
> admin> All scripts then use the KRB5CCNAME file.
> admin> Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
> admin> refuse to try to use existing krbtgt/REALM@REALM to get the mandatory
> admin> kadmin/krbserver.domain@REALM service ticket.
>
> Could you please quote the exact error you get?
"Authenticating as principal user/admin@REALM with existing credentials.
kadmin: Matching credential not found while initializing kadmin interface"
> admin> If I do a 'kinit -s kadmin/admin user/admin' it works but
> admin> then I can't use that service ticket to access LDAP.
>
> I believe that using "kinit -s kadmin/admin user/admin" is the only
> way that's documented to work.
It seems to me that when I connect with LDAP through GSSAPI
I don't need a ticket for a particular service but only a user/admin
principal.
When I am authenticated as user/admin in a REALM it should be enough.
Policies and ACLs complete the security scheme.
Correct me if I am wrong but I believe that this is the way
ticket-granting tickets work.
However a future workaround would be to store differentservices tickets
in two separate files:
one for LDAP and the other for KRB5 managing.
> admin> Replacing libkadm5clnt.so with previuos 1.4 version fixes it
> admin> and after a run of init_with_creds my cache file correctly contains:
> admin> 08/02/05 12:56:20 08/03/05 12:56:20 krbtgt/REALM@REALM
> admin> 08/02/05 12:56:28 08/03/05 12:56:20 kadmin/krbserver.domain@REALM
> admin> 08/02/05 12:56:28 08/03/05 12:56:20 ldap/krbserver.domain@REALM
>
> Your ability to get a kadmin/krbserver.domain@REALM ticket using a TGT
> indicates that your kadmin/krbserver.domain principal doesn't have the
> DISALLOW_TGT_BASED flag set, which should typically be the case for
> kadmin-related principals.
>
> ---Tom
'getprinc kadmin/admin' says:
[...]
Attributes: DISALLOW_TGT_BASED
Policy: [none]
When things started not working I firstly try unsetting
that flag (after reading krb5 API docs) but it
didn't fix the problem so I set it again to the default value.
Thanks in advance
Valerio Pulese
--
--
-- admin@dei.unipd.it
--
-
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos