[7685] in Kerberos
Re: krb5kdc crashes with HPUX
daemon@ATHENA.MIT.EDU (Chris Trown)
Sat Jul 27 21:33:38 1996
To: kerberos@MIT.EDU
Date: 28 Jul 1996 00:42:34 GMT
From: ctrown@ecst.csuchico.edu (Chris Trown)
In article <tsl4tmt5k9r.fsf@tertius.mit.edu>,
Sam Hartman <hartmans@MIT.EDU> wrote:
>>>>>> "Chris" == Chris Trown <ctrown@ecst.csuchico.edu> writes:
>
> Chris> I think I have found a bug. I have two KDCs serving
> Chris> two different realms. I have added principals in each KDC
> Chris> that look like:
>
> Chris> krbtgt/ECST.CSUCHICO.EDU@NET.CSUCHICO.EDU
>
> Chris> Both have the same password. Now, I then try:
>
> Chris> /krb5/bin/rsh pathogen.ecst.csuchico.edu ls
>
> Chris> Blammo! The KDC serving the ecst.csuchico.edu realm
> Chris> dies. I started up the KDC with the "-n" switch and lo and
> Chris> behold, I see "Memory Fault(coredump)". This crash happens
> Chris> going the other direction, too.
>
> Chris> Both of the KDCs are running on HP-UX 9000/7xx series
> Chris> machines. One is running HPUX 10.01 and the other is
> Chris> running HPUX 10.10. Both KDCs are from the krb5b6
> Chris> distribution. Both were compiled with the standard CCOPTS.
> Chris> I can't get a stack trace as the binaries were stripped.
> Chris> Looks Like I'm rebuilding....
>
> You will probably want to rebuild with the -g option on at
>least lib/krb5/*, lib/kdb/*, kdc/* and lib/kadm/*. Actually, you
>might also want debugging symbols on lib/crypto/* as well. Obivously,
>if you have enough space, get debugging symbols on everything,
>although increases the size of the build significantly.
>
This should help make the build.
> Also, note that make install strips the binary after
>installing, so you will want to run with the krb5kdc binary in the
>build tree, not the one that is installed.
>
>
> Chris> First off, is this the right way to do inter-realm
> Chris> authentication? Can I get around these crashes?
>
> I don't know if you can get around the crashes, because I
>don't know what's causing them; we're certainly interesting in fixing
>the problem and working with you to isolate it.
>
> You actually need to create two shared keys for cross-realm
>authentication to work both ways:
>krbtgt/a@b and krbtgt/b@a. Both these keys should exist in both
>realms. It is important that the keys be the same, which means that
>the passwords need to be the same, and the salt type used to create
>the keys may need to be a no-realm salt. (Off the top of my head, I
>can't think of a good reason to require this if the code is
>implemented sanely, but the KDC might do something stupid like use
>the default realm as the salt instead of the realm of the principal.
>I'll play around with this today) Anyway, to make sure you have a
>no-realm salt, change the supported_enctypes line in your kdc.conf
>when you add the keys as follows:
>
> supported_enctypes = des-cbc-md5:norealm
>
> You will want to change this back to what it was before after
>creating the key.
More details on what I did.
After killing another department's kdc a few times, I decided it would be
better if I created my own subrealm where killing the KDC would have fewer
repercussions. :-)
I set up two realms:
[realms]
NET.CSUCHICO.EDU = {
kdc = foo1.net.csuchico.edu
admin_server = foo1.net.csuchico.edu
default_domain = net.csuchico.edu
}
NET-TEST.CSUCHICO.EDU = {
kdc = foo2.net.csuchico.edu
admin_server = foo2.net.csuchico.edu
default_domain = net.csuchico.edu
}
[domain_realm]
.net.csuchico.edu = NET.CSUCHICO.EDU
snorch.net.csuchico.edu = NET-TEST.CSUCHICO.EDU
net.csuchico.edu = NET.CSUCHICO.EDU
foo1 is running HPUX and foo2 is running NetBSD 1.1ALPHA(I know 1.1 has
been released, but at this point, I'm waiting for 1.2). foo1 had the following
principals:
krbtgt/NET-TEST.CSUCHICO.EDU@NET.CSUCHICO.EDU *
krbtgt/NET.CSUCHICO.EDU@NET.CSUCHICO.EDU
foo2 had:
krbtgt/NET.CSUCHICO.EDU@NET-TEST.CSUCHICO.EDU *
krbtgt/NET-TEST.CSUCHICO.EDU@NET-TEST.CSUCHICO.EDU
The ones with the '*' shared the same password. Both had my user
principal. I now know that this is wrong. I did what Sam suggested and things
started working. I used
ank des-cbc-md5:norealm krbtgt/NET-TEST.CSUCHICO.EDU@NET.CSUCHICO.EDU
to add the keys.
I've tried this little bug on two different OSs. These are the only ones
that I have access to on campus. I've given up on Linux for now. Can someone
else try this out? I'll try and get everything rebuilt with debugging on and
see what I can see.
Chris Trown
Communication Services
P.S. I've made everything so verbose so that the next person that comes along
will have some details about how to do things.
--
-------------------------------------------------------------------------------
+ Chris Trown + CSRV Monkey Suit | Fly low +
+ ctrown@ecst.csuchico.edu + worn under | and avoid +
+ KD6EVS | '92 CBR600F2 + PROTEST! | the radar +
