[2146] in Kerberos-V5-bugs
Re: Problem with kadmin5
daemon@ATHENA.MIT.EDU (Sam Hartman)
Tue Aug 13 01:16:18 1996
To: salehi@ISI.EDU (Nader Salehi)
Cc: krb5-bugs@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 13 Aug 1996 01:15:53 -0400
In-Reply-To: salehi@ISI.EDU's message of Mon, 12 Aug 1996 18:08:03 -0700
>>>>> "Nader" == Nader Salehi <salehi@ISI.EDU> writes:
Nader> Hi, I am installing the beta 6 release of Kerberos here at
Nader> ISI. I have found a problem which might be interesting. I
Nader> included my account (salehi/admin@TEST.ISI.EDU) into
Nader> krb5_adm.acl and gave all the rights to modify the
Nader> database. I then ran kadmin5 and tried to run "ldb". At
Nader> this point the system asked for my password everytime it
Nader> wanted to display an entry. For all other commands, which
Nader> only show one entry, I just have to enter my password once.
Nader> I looked at the source code using a debugger. It seems
Nader> that the credential cache "ccname2use" is always empty.
Nader> Therefore, anytime kadmin5 wants to get an entry, if has to
Nader> ask for my password to authenticate me. I then ran kadmin5
Nader> with the following option:
Nader> "kadmin5 -c /var/tmp/creds"
Nader> This time the program does not ask for my password anymore,
Nader> but there exist two problem; 1) It is painfully slow, and
Nader> 2) the credentials are not cached out which makes the
Nader> system a little insecure.
While you are correct that these are in fact problems with
kadmin5, they are inconsequential compared to the basic design
problems with kadmind5. It works well enough that most sites can
crawl along with it if they know what they are doing and don't try to
stress it too hard. (The ldb command tends to stress it as you
noticed.)
Fortunately, I think we are finally at a point where we no
longer have to care about these problems: as mentioned ina recent
press release, OpenVision donated their administration system to MIT
for inclusion in a future release of Kerberos. Soon, we should all be
rid of the old kadmind.
I would suggest a quick fix for you if I could, but honestly
short of some major redesign work, you can't really implement ldb in
the old kadmind model.
Nader> Best, Nader Salehi
