[24438] in Kerberos
Re: What is 'flavor'?
daemon@ATHENA.MIT.EDU (Mike Friedman)
Wed Aug 10 16:09:20 2005
Date: Wed, 10 Aug 2005 13:05:49 -0700 (PDT)
From: Mike Friedman <mikef@ack.berkeley.edu>
To: Tom Yu <tlyu@mit.edu>
In-Reply-To: <ldvek928rzf.fsf@cathode-dark-space.mit.edu>
Message-ID: <20050810125200.H8723@malcolm.berkeley.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 9 Aug 2005 at 22:07 (-0400), Tom Yu wrote:
>>>>>> "mikef" == Mike Friedman <mikef@ack.berkeley.edu> writes:
>
> mikef> o Is this information, in particular the meaning of specific flavor
> mikef> values, documented?
>
> mikef> So far, I've seen the following values for 'flavor': 6 and
> mikef> 300001. The former corresponds to an interactive kadmin
> mikef> authentication; the latter to a kadmin using a keytab. But thus far
> mikef> I have no further information, so I'm hoping someone can enlighten me.
>
> 6 is RPCSEC_GSS, which is the IETF standards-track authentication
> flavor for using GSSAPI in RPC. 300001 would be the AUTH_GSSAPI
> flavor developed by OpenVision, which is not standards-track. See
> RFCs 1831, 1832, 2203, etc. for details.
>
> I'm not quite sure why you're seeing 300001 when using a keytab.
> Exactly how are you invoking kadmin using a keytab? And which release
> are you running on the kadmin client? RPCSEC_GSS (flavor 6) should
> be used in preference to 300001 by modern MIT krb5.
Tom,
Actually I misspoke a bit. What I have is my own code, based on code in
kadmin, that does a password change. (FWIW, although the client now has
1.3.4 installed, this code was, I believe, compiled with an older release
of MIT K5, possibly as far back as 2001).
Here's the admin authentication piece of the code:
/* Initialize the kadm5 connection, using the supplied keytab */
retval = kadm5_init_with_skey(
admin_princstr,
keytab_name,
KADM5_ADMIN_SERVICE,
¶ms,
KADM5_STRUCT_VERSION,
KADM5_API_VERSION_2,
&handle);
if (retval) {
com_err(whoami, retval, "while initializing %s interface", whoami);
if (handle)
kadm5_destroy(handle);
exit(retval);
}
Followed a bit later by this:
/* Now try the passphrase change */
retval = kadm5_chpass_principal(handle, princ, passphrase);
krb5_free_principal(context, princ);
if (retval) {
com_err(whoami, retval,
"while changing passphrase for \"%s\".", canon);
rcode = retval;
}
else
printf("Password for \"%s\" changed.\n", canon);
Mike
_____________________________________________________________________
Mike Friedman System and Network Security
mikef@ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
_____________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBQvpeIa0bf1iNr4mCEQLMZwCgh4vOOnK9wfOG5lIN8tv1YMEZiKcAni3l
3OtOduTan5LiIDpSdx0PERG4
=em9m
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos