[2837] in Kerberos-V5-bugs
krb5-misc/510: kadmind4 does not work with krb5
daemon@ATHENA.MIT.EDU (aidan@panix.com)
Fri Dec 5 15:24:15 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, aidan@panix.com
Date: Fri, 5 Dec 1997 15:23:29 -0500 (EST)
From: aidan@panix.com
Reply-To: aidan@panix.com
To: krb5-bugs@MIT.EDU
Cc: aidan@panix.com
>Number: 510
>Category: krb5-misc
>Synopsis: The kadmind4 server will not accept connections, will not
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Dec 05 15:24:01 EST 1997
>Last-Modified:
>Originator: Aidan Cully
>Organization:
Public Access Networks
>Release: krb5-1.0.2
>Environment:
i386, NetBSD 1.2
System: NetBSD juggler.nfs100.access.net 1.2 NetBSD 1.2 (JUGGLER) #0: Mon Oct 27 20:41:16 EST 1997 marcotte@juggler.nfs100.access.net:/usr/hlocal/panix-src/newest/src/sys/arch/i386/compile/JUGGLER i386
>Description:
when kadmind4 starts up, it binds to the address pointed to by
gethostname(). This should be INADDR_ANY (0.0.0.0). This barfed in
our setup where the local host name is different from the hostnames in
all our krb.conf files.
Once this problem was fixed, kadmind4 attempted to communicate with
kadmind or krb5kdc (didn't spend enough time looking through the code
to figure this out) with a tgt for ovsec_adm/(admin|changepw), but
attempting to decrypt a ticket for kadmin/(admin|changepw) (or
something like that.. something was barfing on the server pointed to
by the ticket being different from the server pointed to by the tgt).
kadmind4 had to be modified to obtain a tgt for
kadmin/(admin|changepw). When this got fixed, it started responding
appropriately to requests, but it still sends back requests that the
client end thinks have been modified in transit.
>How-To-Repeat:
Run kadmind4.
>Fix:
Edit src/kadmin/v4server/kadm_ser_wrap.c, comment out the
memcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr,
sizeof(server_parm.admin_addr.sin_addr.s_addr));
line.
Edit src/kadmin/v4server/admin_server.c, change the
ovsec_kadm_init_with_skey line to look like
retval = ovsec_kadm_init_with_skey(service_name,
params.admin_keytab,
KADM5_ADMIN_SERVICE, krbrlm,
KADM5_STRUCT_VERSION,
KADM5_API_VERSION_1,
&ovsec_handle);
It would also be nice to have some docs for kadmind4. Is this program
supported at all?
>Audit-Trail:
>Unformatted:
talk to krb5 properly, and does not respond to the client in
a way the client can understand.
