[32418] in Kerberos
Re: kadmin.local "ank -randkey" ignores kdc.conf's
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Jun 3 16:21:48 2010
To: Marcus Watts <mdw@umich.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 03 Jun 2010 16:21:43 -0400
In-Reply-To: <E1OKFYT-0008JQ-NI@bruson.ifs.umich.edu> (Marcus Watts's message
of "Thu, 03 Jun 2010 14:54:13 -0400")
Message-ID: <ldvy6evg948.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Marcus Watts <mdw@umich.edu> writes:
>> Date: Thu, 03 Jun 2010 14:23:14 EDT
>> To: Adam Megacz <megacz@cs.berkeley.edu>
>> cc: "kerberos@mit.edu" <kerberos@MIT.EDU>
>> From: Greg Hudson <ghudson@MIT.EDU>
>> Subject: Re: kadmin.local "ank -randkey" ignores kdc.conf's default_principal_f
>> ***lags?
>>
>> On Wed, 2010-06-02 at 23:43 -0400, Adam Megacz wrote:
>> > Related to my previous posting, I find that even though I have
>> >
>> > default_principal_flags = +preauth
>> >
>> > in kdc.conf, when I use kadmin.local's "ank -randkey" command to create
>> > a service principal, the principal is created with no attributes.
>>
>> This is a known bug; it was fixed in 1.7.1 and 1.8.
>
> ... and here's a previous message I posted to this list which
> is unobviously relevant here:
> http://www.mail-archive.com/kerberos@mit.edu/msg15880.html
In older releases, "ank -randkey" has three phases. The first phase
creates the principal with all tickets disabled and with a fixed
password. To do so, it sets a bit in the request attribute mask sent
to the server, indicating that the kadmin client is overriding the
default princpal flags (which normally get filled in by the server if
the client didn't indicate that it was going to override them). Phase
two is a "randkey" operation, and phase three is to clear the
"DISALLOW_ALL_TIX" flag. If you didn't explicitly specify any
principal flags in the client, that means no principal flags are set
when "ank -randkey" is finished.
This has since been fixed, as Greg said.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
