I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6
installed. Depending how I start kadmind (with -r REALM1 or -r REALM2) I can
change the password for a REALM1 or a REALM2 user respectively. My man pages
say:
-r realm specifies the default realm that kadmind will serve; if it is not
specified, the default realm of
the host is used. kadmind will answer requests for any
realm that exists in the local KDC
database and for which the appropriate principals are in its
keytab.
If I don't provide the -r option the default realm of the host ( is this the
kdc ?) is used, so it sounds kadmind can not answer for all realms despite
the second sentence.
Why can't kadmind be use like krb5kdc with -r REALM1 and -r REALM2 ?
Markus
"Anthony Brock" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> I'm running version 1.6 on a Debian lenny box. The actual Debian packages
> are:
>
> ii krb5-admin-server 1.6.dfsg.1-7 MIT Kerberos
> master
> server (kadmind)
> ii krb5-kdc 1.6.dfsg.1-7 MIT Kerberos key
> server (KDC)
>
> Tony
>
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>> Behalf Of Markus Moeller
>> Sent: Monday, September 24, 2007 4:15 PM
>> To: [email protected]
>> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>> authentication
>>
>>
>> That looks to me like a bug in the kdc code. Which release do you use ?
>>
>> Markus
>>
>> "Anthony Brock" <[EMAIL PROTECTED]> wrote in message
>> news:[EMAIL PROTECTED]
>> > Unfortunately I'm not necessarily familiar enough to know if I'm seeing
>> > the
>> > "correct" tickets. I am seeing 6 packets with the first 4 are directed
>> > to/from port 88 and the last 2 directed to/from 464:
>> >
>> > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>> > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 KRB Error:
>> KRB5KDC_ERR_PREAUTH_REQUIRED
>> > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REQ
>> > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, Server
>> > Name
>> > (Principal): kadmin/changepw, KRB5 AS-REP
>> >
>> > Then I see:
>> >
>> > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal):
>> > kadmin/changepw, KPASSWD Reply
>> > PKT 6: KPASSWD Reply[Malformed Packet]
>> >
>> > It's interesting to note that I can see in the "text" field of
>> wireshark
>> > for
>> > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin",
>> > "changepw" and "Failed reading application request". However,
>> > obviously,
>> > wireshark didn't seem to understand the contents of the packet.
>> Other than
>> > this anomaly, the REALM looks good to me.
>> >
>> > I'm also attaching a "text" export of the packet capture from
>> > wireshark.
>> >
>> > Tony
>> >
>> >
>> >> -----Original Message-----
>> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>> >> Behalf Of Markus Moeller
>> >> Sent: Monday, September 24, 2007 1:39 PM
>> >> To: [email protected]
>> >> Subject: Re: Problems with kadmind, kpasswd and cross-realm
>> >> authentication
>> >>
>> >>
>> >> What do you see when you capture the traffic with wireshark on
>> >> port 88 and
>> >> 464 ? Do you see the correct kadmin/[EMAIL PROTECTED] tickets ?
>> >>
>> >> Markus
>> >>
>> >> "Anthony Brock" <[EMAIL PROTECTED]> wrote in message
>> >> news:[EMAIL PROTECTED]
>> >> >> -----Original Message-----
>> >> >> Any ideas?
>> >> >>
>> >> >> The man page states that kadmind should be able to change
>> >> >> passwords for any
>> >> >> realms that have an associated kadmin/changepw@<REALM> and
>> >> >> kadmin/admin@<REALM> principal. Is this still true? Or has
>> >> >> support for this
>> >> >> functionality been dropped? If not, what debugging can be
>> performed to
>> >> >> identify the cause of the issue?
>> >> >>
>> >> >> Ideas?
>> >> >>
>> >> >> Tony
>> >> >
>> >> > Given that it's been 3 weeks and nobody has any suggestions
>> for further
>> >> > troubleshooting or identifying the issue, should this be
>> submitted as a
>> >> > bug
>> >> > in kadmind? If so, how do I submit it? Is there a documented process
>> >> > for
>> >> > this?
>> >> >
>> >> > Also, are there any suggested workarounds? I've seen references
>> >> from 2004
>> >> > to
>> >> > people running a separate kadmind daemon for each realm
>> using different
>> >> > port
>> >> > numbers. Is this safe against a single db? If not, how do
>> you migrate a
>> >> > realm out of the default db into a separate db files?
>> >> >
>> >> > Thanks!
>> >> >
>> >> > Tony
>> >> >
>> >>
>> >>
>> >> ________________________________________________
>> >> Kerberos mailing list [email protected]
>> >> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>
>> >
>>
>>
>> ________________________________________________
>> Kerberos mailing list [email protected]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
