Bug#730583: krb5-admin-server: if "supported_enctypes = DEFAULT" then "kadmind: Required parameters in kdc.conf missing while initializing, aborting"

Wed, 04 Dec 2013 16:10:18 -0800 

On Tue, 26 Nov 2013, CSights wrote:


Package: krb5-admin-server
Version: 1.10.1+dfsg-5+deb7u1
Severity: normal

Dear Maintainer,

MIT documentation for version 1.10 of kdc.conf states that

"The string DEFAULT can be used to refer to the default set of types for the 
variable
in question. Types or families can be removed from the current list by 
prefixing them
with a minus sign (“-”). Types or families can be prefixed with a plus sign 
(“+”) for
symmetry; it has the same meaning as just listing the type or family. For 
example,
“DEFAULT -des” would be the default set of encryption types with DES types 
removed,
and “des3 DEFAULT” would be the default set of encryption types with triple DES 
types moved to the front.
http://web.mit.edu/kerberos/krb5-current/doc/admin/conf_files/kdc_conf.html#encryption-and-salt-types


However using

supported_enctypes = DEFAULT

in kdc.conf results in kadmind failing with
"kadmind: Required parameters in kdc.conf missing while initializing, aborting"



The server does start with any other encryption type specified before the word 
DEFAULT. E.g.

supported_enctypes = des3-cbc-raw:normal DEFAULT

Will let the server start without errors, as well a nonsense encryption type 
like:

supported_enctypes = des3-cbc-raw:normal dog
So, it probably the case that DEFAULT is just ignored if it is not the first encryption type.
I don't think that's the best description of what is going on. The parsing for supported_enctypes goes through a different routine than the processing for the other enctype parameters in the profile, and this one just doesn't handle DEFAULT at all. However, the call site *also* ignores all errors from the parsing routine, so an error is only reported on startup if this routine does not produce any enctypes at all! As long as the first entry in the list is a valid enctype:salt pair, the KDC will startup, just not using the intended options if there is something bogus in the list. This is probably better treated as a code bug than a doc bug.
I have created ticket 7792 upstream (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7792) to track this issue. 

-Ben Kaduk

Reply via email to