[2685] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-admin/388: request for support in upgrading v4 to v5

daemon@ATHENA.MIT.EDU (Charlie)
Tue Mar 11 20:03:23 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: bjaspan@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Charlie <root@circe.CS.Berkeley.EDU>
Date: Tue, 11 Mar 1997 16:55:41 -0800 (PST)
From: Charlie <root@circe.CS.Berkeley.EDU>
To: krb5-bugs@MIT.EDU
Cc: robm@eecs.Berkeley.EDU, sklower@cs.Berkeley.EDU


>Number:         388
>Category:       krb5-admin
>Synopsis:       users can't change their own kerberos passwd in our test install
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bjaspan
>State:          open
>Class:          support
>Submitter-Id:   unknown
>Arrival-Date:   Tue Mar 11 19:56:01 EST 1997
>Last-Modified:
>Originator:     sklower@CS.Berkeley.EDU
>Organization:
	Computer Science Department, UC Berkeley
>Release:        1.0
>Environment:
	BSD/OS 2.1, Ultrix 4.3
System: BSD/OS circe.CS.Berkeley.EDU 2.1 BSDI BSD/OS 2.1 Kernel #7: Thu Oct 31 16:48:20 PST 1996 hodes@terrorism.cs.berkeley.edu:/disks/barad-dur/roboline/PC/src.2.1/sys/compile/BS_MOBILEIP WILDBOAR APM/PCMCIA Driver (WB960224) i386


>Description:
	After following the instructions in "Upgrading to Kerberos V5
        from Kerberos V4", with all data from our real production
	kerberos V4 database, and having selected 3 sample machines
	to participate in a test, (a server, circe@CS.Berkeley.EDU,
        an ultrix V4 machine oboe.CS..., a BSD/OS 2.1 client yacht@CS)
	none of the following ways allowed me to change my own kerberos
	password:
		a.) The V4 kpasswd command as compiled under ultrix
			from krb_passwd.c Berkeley version 8.3
		b.) The BSD/OS 2.1 passwd command
		c.) The V4-compatible kpasswd command as supplied
                    in the V5 distribution (compiled under BSD/OS 2.1)
		d.) The V5 v5passwd program as supplied in the V5
			distribution (compiled under BSD/OS 2.1)
		e.) The kadmin command as supplied in the V5 distribution
		    (as run from the server) with my principal
			"sklower/@EECS.BERKELEY.EDU"
		f.) ditto e.) for sklower/admin@EECS.BERKELEY.EDU 

	We cannot proceed with deployment of kerberos V here until
	normal users are able to change their own passwords, and
	our dedicated kerberos servers are PC's running BSD/OS.

>How-To-Repeat:
	Unfortunately, I'm not at liberty to include a v4 dump of our
	actual kerberos4 database.  I can, however, provide the contents
	of various other configuration and log files:

/etc/krb5.conf:
	[libdefaults]
	    default_realm = EECS.BERKELEY.EDU
	    krb4_srvtab = /etc/kerberosIV/srvtab
	    krb4_config = /etc/kerberosIV/krb.config
	    krb4_realms = /etc/kerberosIV/krb.realms

	[appdefaults]

	[realms]
	    EECS.BERKELEY.EDU = {
		kdc = circe.CS.Berkeley.EDU
		admin_server = circe.CS.Berkeley.EDU
		default_domain = CS.Berkeley.EDU
		v4_instance_convert = absolut.EECS.Berkeley.EDU
	[492 lines of *.EECS.Berkeley.EDU deleted;
         there are also ~950 host instances *.CS.Berkeley.EDU]
		v4_instance_convert = zirconium.EECS.Berkeley.EDU
	    }
	    ATHENA.MIT.EDU = {
		kdc = kerberos.mit.edu
		kdc = kerberos-1.mit.edu
		kdc = kerberos-2.mit.edu
		admin_server = kerberos.mit.edu
		default_domain = mit.edu
	    }

	[domain_realm]
	    .CS.Berkeley.EDU = EECS.BERKELEY.EDU
	    .EECS.Berkeley.EDU = EECS.BERKELEY.EDU
	    .mit.edu = ATHENA.MIT.EDU

	[logging]
	    kdc = FILE:/var/log/kerberos5.log
	    kdc = SYSLOG:INFO:DAEMON
	    admin_server = FILE:/var/log/kadmin5.log
	    admin_server = SYSLOG:INFO:DAEMON
	    default = FILE:/var/log/krb5lib.log

	[capaths]
	[kdc]

/usr/local/var/krb5kdc/kdc.conf:
[kdcdefaults]
	kdc_ports = 88,750
[realms]
    EECS.BERKELEY.EDU = {
	database_name = /usr/local/var/krb5kdc/principal
	admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
	acl_file = /usr/local/var/krb5kdc/kadm5.acl
	dict_file = /usr/local/var/krb5kdc/kadm5.dict
	key_stash_file = /usr/local/var/krb5kdc/.k5.EECS.BERKELEY.EDU
	kadmind_port = 749
	max_life = 10h 0m 0s
	max_renewable_life = 7d 0h 0m 0s
	master_key_type = des-cbc-crc
	supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
    }

[logging]
    kdc = FILE:/var/log/kerberos5.log
    kdc = SYSLOG:INFO:DAEMON
    admin_server = FILE:/var/log/kadmin5.log
    admin_server = SYSLOG:INFO:DAEMON
    default = FILE:/var/log/krb5lib.log

/usr/local/var/krb5kdc/kadm5.acl:
admin/admin@EECS.BERKELEY.EDU *
kpasswd/circe@EECS.BERKLEY.EDU ADmcil

/etc/inetd.conf [partial]:
# Kerberos authenticated services
klogin	stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k
eklogin	stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k -x
kshell	stream	tcp	nowait	root	/usr/libexec/rshd 	rshd -k
ekshell	stream	tcp	nowait	root	/usr/libexec/rshd 	rshd -k -x
rkinit	stream	tcp	nowait	root	/usr/libexec/rkinitd 	rkinitd
# Services run ONLY on the Kerberos server
#krbupdate stream tcp	nowait	root	/usr/libexec/registerd	registerd
kpasswd	stream	tcp	nowait	root	/usr/local/sbin/v5passwdd v5passwdd

/etc/services [partial]:
#
# Kerberos (Project Athena/MIT) version 5 services
#
kerberos-sec	88/udp			# Kerberos authentication udp
kerberos-sec	88/tcp			# Kerberos authentication tcp
krb5_prop	753/tcp			# Kerberos slave propagation
kerberos-adm	749/tcp			# Kerberos 5 admin/changepw (tcp)
kerberos-adm	749/udp			# Kerberos 5 admin/changepw (udp)
krb524		4444/udp		# Kerberos 5 to 4 ticket translator
#
# Kerberos (Project Athena/MIT) services
#
kerberos	750/udp		kdc	# Kerberos (server) udp
kerberos	750/tcp		kdc	# Kerberos (server) tcp
krbupdate	760/tcp		kreg	# Kerberos registration
kpasswd		761/tcp		kpwd	# Kerberos "passwd"
krb_prop	754/tcp			# Kerberos slave propagation
klogin		543/tcp			# Kerberos rlogin
eklogin		2105/tcp		# Kerberos encrypted rlogin
kshell		544/tcp		krcmd	# Kerberos remote shell
ekshell		2106/tcp		# Kerberos encrypted shell
rkinit		2108/tcp		# Kerberos remote initialization

Here are the diagnostic messages received under case a.)
	(kinit; kpasswd from ultrix 4.4):

Mar 11 16:26:20 circe.CS.Berkeley.EDU krb5kdc[2722](info): PROCESS_V4:Initial ticket request Host: 128.32.34.61 User: "sklower" ""
Mar 11 16:26:26 circe v5passwdd[3117]: v5passwdd: Address already in use while initializing network
Mar 11 16:26:26 circe v5passwdd[3117]: v5passwdd: Address already in use while initializing network
Mar 11 16:26:26 circe.CS.Berkeley.EDU krb5kdc[2722](info): PROCESS_V4:APPL Request sklower.@EECS.BERKELEY.EDU on 128.32.34.61 for kpasswd.circe
Mar 11 16:26:26 circe.CS.Berkeley.EDU v5passwdd[3117](info): starting
Mar 11 16:26:26 circe.CS.Berkeley.EDU v5passwdd[3117](Error): v5passwdd: Address already in use while initializing network

and the client program reports:
% kpasswd
WARNING: Your password may be exposed if you enter it here and are logged
         in remotely using an unsecure (non-encrypted) channel.
Changing Kerberos password for sklower.@EECS.BERKELEY.EDU.
Old Kerberos password:
couldn't read verification string (aborted)
% uname -a
ULTRIX oboe.CS.Berkeley.EDU 4.4 0 RISC

Here are the diagnostic message from case b.) -  the BSD/OS passwd command
Mar 11 16:32:03 circe.CS.Berkeley.EDU krb5kdc[2722](info): PROCESS_V4:Initial ticket request Host: 208.1.88.41 User: "sklower" ""
Mar 11 16:32:09 circe v5passwdd[3122]: v5passwdd: Address already in use while initializing network
Mar 11 16:32:09 circe v5passwdd[3122]: v5passwdd: Address already in use while initializing network
Mar 11 16:32:09 circe.CS.Berkeley.EDU krb5kdc[2722](info): PROCESS_V4:APPL Request sklower.@EECS.BERKELEY.EDU on 208.1.88.41 for kpasswd.circe
Mar 11 16:32:09 circe.CS.Berkeley.EDU v5passwdd[3122](info): starting
Mar 11 16:32:09 circe.CS.Berkeley.EDU v5passwdd[3122](Error): v5passwdd: Address already in use while initializing network

as resulting from the following sequence:
Kerberos Initialization
Kerberos name: sklower
Kerberos instance: 
Kerberos Password: 
yacht# passwd
Changing Kerberos password for sklower.@EECS.BERKELEY.EDU.
Old Kerberos password:
passwd: couldn't read verification string (aborted)
yacht# uname -a
BSD/OS yacht.CS.Berkeley.EDU 2.1 BSDI BSD/OS 2.1 Kernel #155: Sun Mar  9 20:03:37 PST 1997     stemm@saber.CS.Berkeley.EDU:/disks/barad-dur/roboline/PC/src.2.1/sys/compile/BS WILDBOAR APM/PCMCIA Driver (WB960224)  i386

Here are the diagnostic messages from case c.) - The V4-compatible
kpasswd command as supplied in the V5 distribution (compiled under BSD/OS 2.1),
and run from the server itself:
Mar 11 16:36:48 circe.CS.Berkeley.EDU krb5kdc[2722](info): AS_REQ 128.32.33.88(750): ISSUE: authtime 858127008, sklower@EECS.BERKELEY.EDU for krbtgt/EECS.BERKELEY.EDU@EECS.BERKELEY.EDU
Mar 11 16:37:03 circe v5passwdd[3129]: Cannot allocate memory - 3129: error reading AP_REQ message
Mar 11 16:37:03 circe v5passwdd[3129]: Cannot allocate memory - 3129: error reading AP_REQ message
Mar 11 16:37:03 circe.CS.Berkeley.EDU krb5kdc[2722](info): AS_REQ 128.32.33.88(750): ISSUE: authtime 858127023, sklower@EECS.BERKELEY.EDU for kadmin/changepw@EECS.BERKELEY.EDU
v5passwdd: Cannot allocate memory - 3129: error reading AP_REQ message

result from the following user interaction:
% /usr/local/bin/kinit sklower@EECS.BERKELEY.EDU
Password for sklower@EECS.BERKELEY.EDU: 
% /usr/local/bin/kpasswd
kpasswd: Changing password for sklower@EECS.BERKELEY.EDU.
Old password:
kpasswd: Cannot establish a session with the Kerberos administrative server for
realm EECS.BERKELEY.EDU. GSS-API (or Kerberos) error.
1.2u 0.0s 0:05.43 23.3% 0+0k 0+11io 0pf+0w
% uname -a
BSD/OS circe.CS.Berkeley.EDU 2.1 BSDI BSD/OS 2.1 Kernel #7: Thu Oct 31 16:48:20 PST 1996     hodes@terrorism.cs.berkeley.edu:/disks/barad-dur/roboline/PC/src.2.1/sys/compile/BS_MOBILEIP WILDBOAR APM/PCMCIA Driver (WB960224)  i386
% 


There were no diagnostic messages in the server logs resulting from case d.)
- the v5passwd program:

However, it didn't work, and as I wasn't able to figure out where it
was attempting to locate the server from . . .
% /usr/local/bin/v5passwd
/usr/local/bin/v5passwd: cannot contact server (No such file or directory).

In case e.) -  kadmin run from my user account:
Mar 11 16:47:28 circe.CS.Berkeley.EDU krb5kdc[2722](info): AS_REQ 128.32.33.88(750): ISSUE: authtime 858127648, sklower@EECS.BERKELEY.EDU for kadmin/admin@EECS.BERKELEY.EDU
Mar 11 16:47:36 circe v5passwdd[3151]: Cannot allocate memory - 3151: error reading AP_REQ message
v5passwdd: Cannot allocate memory - 3151: error reading AP_REQ message
Mar 11 16:47:36 circe v5passwdd[3151]: Cannot allocate memory - 3151: error reading AP_REQ message

which resulted from the invocation:
% /usr/local/sbin/kadmin -p sklower@EECS.BERKELEY.EDU
Enter password:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface




>Fix:
	If I knew how to fix this problem I wouldn't be begging for help!

>Audit-Trail:
>Unformatted:
To: krb5-bugs@mit.edu
Subject: 
From: sklower@CS.Berkeley.EDU
Reply-To: sklower@CS.Berkeley.EDU
Cc: 
X-send-pr-version: 3.99



home help back first fref pref prev next nref lref last post