[1357] in Kerberos-V5-bugs
Kerberos 5 beta 4.3, DCE and the Order of the Flagbits
daemon@ATHENA.MIT.EDU (Doug Engert)
Wed May 3 03:31:42 1995
Date: Mon, 24 Apr 95 13:10:31 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <krb5-bugs@MIT.EDU>
Cc: <authtf@es.net>, <info-dce@transarc.com>
Ted,
I saw your last three notes on the ordering of the flag bits. You
are not alone in having problems in this area.
At the OSF/DCE Users and Developers conference I talked to John
Brezak of HP about some K5/DCE interoperability issues. He
reported that there was a problem with fowarding because they had
misinterpreted the order of the flag bits, and most DCE releases
prior to 1.1 had bad code in this area. DCE 1.1 should have the
problem fixed.
I have been testing the interoperability of Kerberos 5 beta 4.3
with DCE 1.0.3 using the Transarc 1.0.3a release for Solaris 2.3.
and indeed I can not use forwarding when using the DCE security
server with K5.4.3 clients. I get from telnet the following:
Kerberos V5: failure on credentials(KDC can't fulfill requested option)
if I do a kinit -f (using either the DCE or K5 versions) I get
the same message. Both the DCE and K5 klist -f commands show
the bits. Listed below is the DCE klist run on a rs6000 showing
the flag bits.
I believe that I am seeing the problem which John discussed and
that HP has a fix for DCE server for this problem. I am also
going to try and get the fix for the Transarc version.
I am telling you this since you may here of other problems with the
ordering of the flag bits which may cause more confusion.
If you have any more insite on this let us know.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
--------------------------------------------------------------------
stafford% /usr/bin/klist -f
DCE Identity Information:
Warning: Identity information is not certified
Global Principal: /.../anl.gov/b17783
Cell: 0010eb2c-571c-1ef8-a574-92896027aa77 /.../anl.gov
Principal: 00000086-ca26-2f27-8d00-92896027aa77 b17783
Group: fffffffe-571c-2ef8-a501-92896027aa77 nogroup
Local Groups:
fffffffe-571c-2ef8-a501-92896027aa77 nogroup
Identity Info Expires:
95/04/24:18:02:32 Account
Expires: never Passwd Expires:
never
Kerberos Ticket Information:
Ticket cache:
/opt/dcelocal/var/security/creds/dcecred_43d46b00
Default principal:
b17783@anl.gov Server:
krbtgt/anl.gov@anl.gov
valid 95/04/24:11:08:39 to 95/04/24:21:08:39
F: 40400000 (F I) <---- NOTE THE FLAG BITS HERE -----
Server: dce-ptgt@anl.gov
valid 95/04/24:11:09:15 to 95/04/24:13:09:15
F: 40000000 (F )
Client: dce-ptgt@anl.gov
Server: krbtgt/anl.gov@anl.gov
valid 95/04/24:11:09:15 to 95/04/24:13:09:15
F: 0 ( )
Client: dce-ptgt@anl.gov
Server: dce-rgy@anl.gov
valid 95/04/24:11:09:15 to 95/04/24:13:09:15
F: 0 ( )
