I'm running version 1.6 on a Debian lenny box. The actual Debian packages are:
ii krb5-admin-server 1.6.dfsg.1-7 MIT Kerberos master server (kadmind) ii krb5-kdc 1.6.dfsg.1-7 MIT Kerberos key server (KDC) Tony > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Markus Moeller > Sent: Monday, September 24, 2007 4:15 PM > To: [email protected] > Subject: Re: Problems with kadmind, kpasswd and cross-realm > authentication > > > That looks to me like a bug in the kdc code. Which release do you use ? > > Markus > > "Anthony Brock" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Unfortunately I'm not necessarily familiar enough to know if I'm seeing > > the > > "correct" tickets. I am seeing 6 packets with the first 4 are directed > > to/from port 88 and the last 2 directed to/from 464: > > > > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server > > Name > > (Principal): kadmin/changepw, KRB5 AS-REQ > > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server > > Name > > (Principal): kadmin/changepw, KRB5 KRB Error: > KRB5KDC_ERR_PREAUTH_REQUIRED > > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server > > Name > > (Principal): kadmin/changepw, KRB5 AS-REQ > > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server > > Name > > (Principal): kadmin/changepw, KRB5 AS-REP > > > > Then I see: > > > > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal): > > kadmin/changepw, KPASSWD Reply > > PKT 6: KPASSWD Reply[Malformed Packet] > > > > It's interesting to note that I can see in the "text" field of > wireshark > > for > > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin", > > "changepw" and "Failed reading application request". However, obviously, > > wireshark didn't seem to understand the contents of the packet. > Other than > > this anomaly, the REALM looks good to me. > > > > I'm also attaching a "text" export of the packet capture from wireshark. > > > > Tony > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > >> Behalf Of Markus Moeller > >> Sent: Monday, September 24, 2007 1:39 PM > >> To: [email protected] > >> Subject: Re: Problems with kadmind, kpasswd and cross-realm > >> authentication > >> > >> > >> What do you see when you capture the traffic with wireshark on > >> port 88 and > >> 464 ? Do you see the correct kadmin/[EMAIL PROTECTED] tickets ? > >> > >> Markus > >> > >> "Anthony Brock" <[EMAIL PROTECTED]> wrote in message > >> news:[EMAIL PROTECTED] > >> >> -----Original Message----- > >> >> Any ideas? > >> >> > >> >> The man page states that kadmind should be able to change > >> >> passwords for any > >> >> realms that have an associated kadmin/changepw@<REALM> and > >> >> kadmin/admin@<REALM> principal. Is this still true? Or has > >> >> support for this > >> >> functionality been dropped? If not, what debugging can be > performed to > >> >> identify the cause of the issue? > >> >> > >> >> Ideas? > >> >> > >> >> Tony > >> > > >> > Given that it's been 3 weeks and nobody has any suggestions > for further > >> > troubleshooting or identifying the issue, should this be > submitted as a > >> > bug > >> > in kadmind? If so, how do I submit it? Is there a documented process > >> > for > >> > this? > >> > > >> > Also, are there any suggested workarounds? I've seen references > >> from 2004 > >> > to > >> > people running a separate kadmind daemon for each realm > using different > >> > port > >> > numbers. Is this safe against a single db? If not, how do > you migrate a > >> > realm out of the default db into a separate db files? > >> > > >> > Thanks! > >> > > >> > Tony > >> > > >> > >> > >> ________________________________________________ > >> Kerberos mailing list [email protected] > >> https://mailman.mit.edu/mailman/listinfo/kerberos > >> > > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
