[37300] in Kerberos
Re: Incremental propagation when KDCs are clients of a different realm
daemon@ATHENA.MIT.EDU (Toby Blake)
Thu Nov 5 10:20:15 2015
Mime-Version: 1.0
From: Toby Blake <toby@inf.ed.ac.uk>
In-Reply-To: <AC88C309-4CB1-4E4E-9F69-5C44C061C430@inf.ed.ac.uk>
Date: Thu, 5 Nov 2015 15:19:48 +0000
Message-Id: <B9A026FD-6A85-4408-9F15-32F20383A3EC@inf.ed.ac.uk>
To: kerberos@mit.edu
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
To close off the thread I started...
> On 2 Nov 2015, at 14:48, Toby Blake <toby@inf.ed.ac.uk> wrote:
>
> Hello,
>
> I'm trying to set up incremental propagation on a master-slave KDC
> configuration where the KDCs are clients of a different realm to the one they
> serve.
[...]
I've done some hacking on this and the conclusion is that it's possible to do
what I want, but it does require code changes.
Just pointing the slave and master at an alternative krb5.conf with
default_realm set accordingly is not enough.
The changes required are in src/slave/kpropd.c:do_iprop
Specifically, the iprop_svc_princstr and master_svc_princstr strings.
When kadm5_init_with_skey is called, iprop_svc_princstr is set to
"kiprop/slave.domain@DOMAIN"
This comes from iprop_svc_principal - it looks like the DOMAIN part is
generated via krb5_sname_to_principal/krb5_get_host_realm - so it's determined
from the host name itself.
master_svc_princstr is set to "kiprop/master.domain" - i.e. no realm, so it
must be filled in subsequently.
If I set iprop_svc_princstr and master_svc_princstr to
kiprop/host.domain@KDCDOMAIN explicitly then iprop works correctly.
Hopefully the above is clear. It's largely for my benefit to write down what
I've discovered so I can work on a patch to do what I want properly when I
have a bit more time.
Cheers
Toby
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
