[1535] in Kerberos_V5_Development
Re: additional bugs for Beta 7
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Mon Aug 12 10:08:32 1996
Date: Mon, 12 Aug 96 10:08:16 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: hartmans@MIT.EDU
Cc: krbcore@MIT.EDU
In-Reply-To: <199608120715.DAA17043@tertius.mit.edu> (message from Sam Hartman
on Mon, 12 Aug 1996 03:15:19 -0400)
* Upgrading from a Beta6 database worked correctly; all the principals
that kadmin needed were created and old data was preserved.
Yahoo! :-)
* If I ran kadmind, and then used the add_policy command with kadmin,
I got a "server communications failure" trying to add the policy. If
I added the policy in kadmin.local, I could modify it using kadmin.
Very bizarre. I'll see if I can duplicate the problem.
* How is the default policy suposed to work?
There is no special behavior associated with a policy called "default"
nor with any other policy. Principals with no policy assigned are
simply not controlled by any policy. I cannot explain the refcnt
behavior you observed; again, I'll try to duplicate it.
* Somehow the kdb code in kdb_dbe_find_enctype to deal with making
sure DES-MD5 == DES-CRC == DES-RAW got mangled. I got some supported
enctype errors I don't think I should have gotten, but I need to play
around with it some. (I use a few DES3 keys in this database, so it's
mildly confusing.)
I think that code is a botch by design and should be fixed; otherwise,
we'll have the same problem when we introduce new 3DES enctypes with a
different checksum scheme. I talked to Ted about this a while ago,
and I think I put some notes on it in my kdb.tex documentation (which
maybe I never mvoed into the krbdev locker...)
* Several of the GSSAPI applications (ftp, gss-client) are not
displaying usefulKerberos error messages for me, but instead are
display "unknown code krb5xxx".
The krb5 gss_init_sec_context() should call krb5_init_ets(). It is
isn't, that should be easy to fix.
I have not yet tested dumping a b7 database to a b6 kdc, or
kprop in either direction. Question: should kprop be using kdb5_util,
or kdb5_edit?
kdb5_edit is totally obsolete, should never be used, and should not
eve be compiled or distributed at all in beta 7 (lest someone try to
use it). Therefore, use kdb5_util. :-) I just sent email about this
yesterday, in fact. I'll be testing kprop myself some time this week
(perhaps today) in the process of writing my LISA slides.
Barry
