[21074] in Athena Bugs
Re: Login puzzle
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Nov 14 14:03:22 2002
From: Greg Hudson <ghudson@MIT.EDU>
To: Tom Cavin <cavin@mit.edu>
Cc: SIPB Linux Help <linux-help@mit.edu>, Athena Bugs list <bugs@mit.edu>
In-Reply-To: <15827.60819.86320.334283@lap1-wccf.mit.edu>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 14 Nov 2002 14:00:59 -0500
Message-Id: <1037300459.11445.336.camel@error-messages.mit.edu>
Mime-Version: 1.0
On Thu, 2002-11-14 at 13:38, Tom Cavin wrote:
> The /etc/athena/srvtab file was reconstructed from the
> /etc/krb5.keytab file after the exiting srvtab file had been removed.
> Confusion regarding the nature of srvtab files resulted in the removal
> and it is very likely that the old krb5.keytab file is out of sync
> with the KDC.
What confusion?
krb5 and krb4 daemons should be able to use keytab and srvtab files
interchangeably, assuming the daemon executables were linked against the
Athena Kerberos libraries. Because of this feature, the most desirable
configuration is a keytab and no srvtab, since keytabs are a richer
format.
Unfortunately, there is no simple analog to the "ksrvutil change"
command for keytabs (I'm told you can do it with kadmin, but it's
certainly not a single, easily remembered command), and our method of
distributing keys to machines requires people to change the key after
receiving it insecurely. So I think our support infrastructure still
winds up giving people instructions which reslut in srvtabs, not
keytabs. That may lead to some confusion.
> 1. What tools can I use to get the srvtab/keytab versions so I can
> compare local files with the corresponding versions on the KDC?
ktutil can examine and manipulate a keytab.
ksrvutil can examine and manipulate a srvtab.
kvno can check the version of a principal on the KDC.
> 2. What happens in normal login process for a normal user that isn't
> happening here?
If your machine has a srvtab or keytab, xlogin tries to use it to
authenticate that the provided ticket came from the real KDC.
(Otherwise xlogin has no sound guarantee that the user's password
matches the password in the real KDC.) If your srvtab or keytab is
skewed with respect to the KDC, this will fail, but xlogin cannot
distinguish this failure from someone trying to impersonate the KDC.
> 3. What does the error message from krb_rd_req mean? And more
> generally, where can I find documentation on these errors?
Error messages from krb4 library routines are generally vague and
undocumented.
Error messages from krb5 library routines are better, but still pretty
bad. But that's irrelevant for now because xlogin uses krb4 library
routines.
> 4. Is there a way to get the system to tell me what's different or
> missing?
rpm -Va, maybe? This is a difficult problem, because usually when a
machine isn't working it's because of a problem in a configuration file,
which is expected to be different on different machines.
> P.S. The expected recovery procedure is to get a new srvtab from accounts
> and then reinstall the system.
Reinstalling the system may be going overboard. I think all your
symptoms can be accounted for by the known mistake.
