[7684] in Kerberos
Re: krb5kdc crashes with HPUX
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat Jul 27 19:59:33 1996
To: ctrown@ecst.csuchico.edu (Chris Trown)
Cc: kerberos@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 27 Jul 1996 19:49:52 -0400
In-Reply-To: ctrown@ecst.csuchico.edu's message of 26 Jul 1996 23:02:50 GMT
>>>>> "Chris" == Chris Trown <ctrown@ecst.csuchico.edu> writes:
Chris> I think I have found a bug. I have two KDCs serving
Chris> two different realms. I have added principals in each KDC
Chris> that look like:
Chris> krbtgt/ECST.CSUCHICO.EDU@NET.CSUCHICO.EDU
Chris> Both have the same password. Now, I then try:
Chris> /krb5/bin/rsh pathogen.ecst.csuchico.edu ls
Chris> Blammo! The KDC serving the ecst.csuchico.edu realm
Chris> dies. I started up the KDC with the "-n" switch and lo and
Chris> behold, I see "Memory Fault(coredump)". This crash happens
Chris> going the other direction, too.
Chris> Both of the KDCs are running on HP-UX 9000/7xx series
Chris> machines. One is running HPUX 10.01 and the other is
Chris> running HPUX 10.10. Both KDCs are from the krb5b6
Chris> distribution. Both were compiled with the standard CCOPTS.
Chris> I can't get a stack trace as the binaries were stripped.
Chris> Looks Like I'm rebuilding....
You will probably want to rebuild with the -g option on at
least lib/krb5/*, lib/kdb/*, kdc/* and lib/kadm/*. Actually, you
might also want debugging symbols on lib/crypto/* as well. Obivously,
if you have enough space, get debugging symbols on everything,
although increases the size of the build significantly.
Also, note that make install strips the binary after
installing, so you will want to run with the krb5kdc binary in the
build tree, not the one that is installed.
Chris> First off, is this the right way to do inter-realm
Chris> authentication? Can I get around these crashes?
I don't know if you can get around the crashes, because I
don't know what's causing them; we're certainly interesting in fixing
the problem and working with you to isolate it.
You actually need to create two shared keys for cross-realm
authentication to work both ways:
krbtgt/a@b and krbtgt/b@a. Both these keys should exist in both
realms. It is important that the keys be the same, which means that
the passwords need to be the same, and the salt type used to create
the keys may need to be a no-realm salt. (Off the top of my head, I
can't think of a good reason to require this if the code is
implemented sanely, but the KDC might do something stupid like use
the default realm as the salt instead of the realm of the principal.
I'll play around with this today) Anyway, to make sure you have a
no-realm salt, change the supported_enctypes line in your kdc.conf
when you add the keys as follows:
supported_enctypes = des-cbc-md5:norealm
You will want to change this back to what it was before after
creating the key.
