[36139] in Kerberos
Problems parsing old krbPrincipalKey attributes from LDAP backend
daemon@ATHENA.MIT.EDU (Frank Steinberg)
Tue May 20 09:56:31 2014
From: Frank Steinberg <steinberg@ibr.cs.tu-bs.de>
Date: Tue, 20 May 2014 15:56:04 +0200
To: kerberos@mit.edu
Message-Id: <F8ED6DEB-1BB5-4F55-B947-795E593F9BA7@ibr.cs.tu-bs.de>
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Content-Type: multipart/mixed; boundary="===============1766842292=="
Errors-To: kerberos-bounces@mit.edu
--===============1766842292==
Content-Type: multipart/signed;
boundary="Apple-Mail=_DEFF10F7-73BB-44E6-82B0-51107F5E7376";
protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_DEFF10F7-73BB-44E6-82B0-51107F5E7376
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Hi,
I'm using MIT Kerberos with an LDAP backend on Ubuntu Linux systems for =
some years now. During an update from 1.10.x to 1.12.x I'm observing =
some trouble:
1. It seems like the LDAP backend now requires to have the =
krbRealmContainer objects under an object of class krbContainer. =
Formerly it was happily working under an "ou=3Dkerberos" node. However, =
it is feasible to change my LDAP structure in this way, so that this not =
really a problem.
2. What really causes me headaches is that some krbPrincipalKeys can no =
longer be parsed. They trigger errors like "unable to decode stored =
principal key data (ASN.1 structure is missing a required field) while =
retrieving "{anonymized}@IBR.CS.TU-BS.DE". It seems like this happens =
only for keys that have not been changed for quite some time: I asked a =
user who had a key that caused this error to change his password using =
an older 1.10-based kadmind. Afterwards the new 1.12.x-based programs =
were able to parse it.
So far, I found out that this ASN1_MISSING_FIELD is triggerd in =
lib/krb5/asn.1/asn1_encode.c:omit_atype().
kadmin.local gives this getprinc output for working and non-working =
principals on 1.10 and 1.12:
WORKING on 1.10:
Number of keys: 8
Key: vno 92, aes256-cts-hmac-sha1-96, Version 5
Key: vno 92, arcfour-hmac, Version 5
Key: vno 92, des3-cbc-sha1, Version 5
Key: vno 92, des-cbc-crc, Version 5
Key: vno 92, des-cbc-md5, Version 4
Key: vno 92, des-cbc-md5, Version 5 - No Realm
Key: vno 92, des-cbc-md5, Version 5 - Realm Only
Key: vno 92, des-cbc-md5, AFS version 3
MKey: vno 1
NOT WORKING on 1.10:
Number of keys: 8
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
Key: vno 2, des-cbc-md5, Version 4
Key: vno 2, des-cbc-md5, Version 5 - No Realm
Key: vno 2, des-cbc-md5, Version 5 - Realm Only
Key: vno 2, des-cbc-md5, AFS version 3
MKey: vno 1
WORKING on 1.12:
Number of keys: 8
Key: vno 92, aes256-cts-hmac-sha1-96, no salt
Key: vno 92, arcfour-hmac, no salt
Key: vno 92, des3-cbc-sha1, no salt
Key: vno 92, des-cbc-crc, no salt
Key: vno 92, des-cbc-md5, no salt
Key: vno 92, des-cbc-md5, Version 5 - No Realm
Key: vno 92, des-cbc-md5, Version 5 - Realm Only
Key: vno 92, des-cbc-md5, AFS version 3
MKey: vno 1
NOT WORKING on 1.12:
get_principal: unable to decode stored principal key data (ASN.1 =
structure is missing a required field) while retrieving =
"{anonymized}@IBR.CS.TU-BS.DE".
Did this krbPrincipalKey type change? Is there a tool to fix old keys?
-frank
--Apple-Mail=_DEFF10F7-73BB-44E6-82B0-51107F5E7376
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJTe171AAoJELceje+Z7H2LPYcIALZ7XLj2vXuUgRAaS2CV7H1X
RfGnzNr2sJIa0x38EZAaAHeLcVrK+0cQE016a63vYoB7AhWxmfqLLJVEmeRzHVuh
GpHymOYvbasumBQOTXnoGwGD8hEESVDdRKVs+XKucKUnmZ8heJnl5UsGuq3wSa2w
9LZHX2plVAWyzoO7cAuRUgBEM3ojv0xiHaSOifV1uAhedyuQUWcPgg/lxjIQ3jB9
h1THBCKGm1HS47Qip03QN4r1BXfsvOVazDoYMxXpOsa0KpiZ0ZdLvC+Ae5Lv3iqx
9298vDjsIywrlb8NZbmyyUbvp3gWt2kVsH00PyH9jeojstV2ShWNJSBPPqPEooE=
=sSPe
-----END PGP SIGNATURE-----
--Apple-Mail=_DEFF10F7-73BB-44E6-82B0-51107F5E7376--
--===============1766842292==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1766842292==--
