Hello
we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1
my scripts for users creation/change don't work anymore.
They are based on 'kadmin' utility or perl module Authen::Krb5::Admin
for remote management on the kerberos and LDAP db.
As user/admin@REALM I am used to do only
'kinit user/admin@REALM'
to grant me LDAP and KERBEROS admin access.
All scripts then use the KRB5CCNAME file.
Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
refuse to try to use existing krbtgt/REALM@REALM to get the mandatory
kadmin/krbserver.domain@REALM service ticket.
If I do a 'kinit -s kadmin/admin user/admin' it works but
then I can't use that service ticket to access LDAP.
Replacing libkadm5clnt.so with previuos 1.4 version fixes it
and after a run of init_with_creds my cache file correctly contains:
08/02/05 12:56:20 08/03/05 12:56:20 krbtgt/REALM@REALM
08/02/05 12:56:28 08/03/05 12:56:20 kadmin/krbserver.domain@REALM
08/02/05 12:56:28 08/03/05 12:56:20 ldap/krbserver.domain@REALM

Sources' Changelog file helps me to concentrate on
krb5-1.4.1/src/lib/kadm5/clnt/client_init.c
After some deep investigation with DDD (you know, it's summertime
and sysadmin have a lot of sparetime
seems that the section starting from line 434:
code = kadm5_gic_iter(handle, init_type, ccache,
client, pass, svcname, realm,
full_svcname, full_svcname_len);
if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
|| code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
/* Retry with old host-independent service princpal. */
code = kadm5_gic_iter(handle, init_type, ccache,
client, pass,
KADM5_ADMIN_SERVICE, realm,
full_svcname, full_svcname_len);
}

check only for existing kadmin/fqdn@REALM or (fallback) kadmin/admin@REALM
and obviously return an error. The embarassing thing is that if I create
a cache with 1.4 libkadm5clnt.so it is gladly accepted by 1.4.1 libkadm5clnt.so
I am not a kerberos guru so there could be something wrong
in my configuration or in my way of understanding Kerberos philosophy.

Any feedback will be appreciated.

Regards
Valerio Pulese


-- admin@dei.unipd.it
--
-
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos