What is 'flavor'? - Kerberos

This is a discussion on What is 'flavor'? - Kerberos ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've just set up a 1.4.1 KDC and I notice what appears to be new information in kadmind log messages, namely, 'flavor=nnnnn'. I don't think I've seen this on my current production KDC, which ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: What is 'flavor'?

  1. What is 'flavor'?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I've just set up a 1.4.1 KDC and I notice what appears to be new
    information in kadmind log messages, namely, 'flavor=nnnnn'. I don't think
    I've seen this on my current production KDC, which is 1.3.4. So, some
    questions:

    o What does 'flavor' mean in this context?

    o Is this information, in particular the meaning of specific flavor
    values, documented?

    So far, I've seen the following values for 'flavor': 6 and 300001. The
    former corresponds to an interactive kadmin authentication; the latter to
    a kadmin using a keytab. But thus far I have no further information, so
    I'm hoping someone can enlighten me.

    Thanks.

    Mike

    __________________________________________________ ___________________
    Mike Friedman System and Network Security
    mikef@ack.Berkeley.EDU 2484 Shattuck Avenue
    1-510-642-1410 University of California at Berkeley
    http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
    __________________________________________________ ___________________

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBQvlBea0bf1iNr4mCEQJurwCfefKetfnMkELZNGXS+JHMZZ D0XXsAmwTe
    OxT13gVUeMwrwMct9SprOmF1
    =5Bfw
    -----END PGP SIGNATURE-----
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: What is 'flavor'?

    >>>>> "mikef" == Mike Friedman writes:

    mikef> I've just set up a 1.4.1 KDC and I notice what appears to be new
    mikef> information in kadmind log messages, namely, 'flavor=nnnnn'. I don't
    mikef> think I've seen this on my current production KDC, which is 1.3.4.
    mikef> So, some questions:

    mikef> o What does 'flavor' mean in this context?

    That would be the ONCRPC authentication flavor.

    mikef> o Is this information, in particular the meaning of specific flavor
    mikef> values, documented?

    mikef> So far, I've seen the following values for 'flavor': 6 and
    mikef> 300001. The former corresponds to an interactive kadmin
    mikef> authentication; the latter to a kadmin using a keytab. But thus far
    mikef> I have no further information, so I'm hoping someone can enlighten me.

    6 is RPCSEC_GSS, which is the IETF standards-track authentication
    flavor for using GSSAPI in RPC. 300001 would be the AUTH_GSSAPI
    flavor developed by OpenVision, which is not standards-track. See
    RFCs 1831, 1832, 2203, etc. for details.

    I'm not quite sure why you're seeing 300001 when using a keytab.
    Exactly how are you invoking kadmin using a keytab? And which release
    are you running on the kadmin client? RPCSEC_GSS (flavor 6) should
    be used in preference to 300001 by modern MIT krb5.

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: What is 'flavor'?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Tue, 9 Aug 2005 at 22:07 (-0400), Tom Yu wrote:

    >>>>>> "mikef" == Mike Friedman writes:

    >
    > mikef> o Is this information, in particular the meaning of specific flavor
    > mikef> values, documented?
    >
    > mikef> So far, I've seen the following values for 'flavor': 6 and
    > mikef> 300001. The former corresponds to an interactive kadmin
    > mikef> authentication; the latter to a kadmin using a keytab. But thus far
    > mikef> I have no further information, so I'm hoping someone can enlighten me.
    >
    > 6 is RPCSEC_GSS, which is the IETF standards-track authentication
    > flavor for using GSSAPI in RPC. 300001 would be the AUTH_GSSAPI
    > flavor developed by OpenVision, which is not standards-track. See
    > RFCs 1831, 1832, 2203, etc. for details.
    >
    > I'm not quite sure why you're seeing 300001 when using a keytab.
    > Exactly how are you invoking kadmin using a keytab? And which release
    > are you running on the kadmin client? RPCSEC_GSS (flavor 6) should
    > be used in preference to 300001 by modern MIT krb5.


    Tom,

    Actually I misspoke a bit. What I have is my own code, based on code in
    kadmin, that does a password change. (FWIW, although the client now has
    1.3.4 installed, this code was, I believe, compiled with an older release
    of MIT K5, possibly as far back as 2001).

    Here's the admin authentication piece of the code:

    /* Initialize the kadm5 connection, using the supplied keytab */
    retval = kadm5_init_with_skey(
    admin_princstr,
    keytab_name,
    KADM5_ADMIN_SERVICE,
    &params,
    KADM5_STRUCT_VERSION,
    KADM5_API_VERSION_2,
    &handle);

    if (retval) {
    com_err(whoami, retval, "while initializing %s interface", whoami);
    if (handle)
    kadm5_destroy(handle);
    exit(retval);
    }

    Followed a bit later by this:

    /* Now try the passphrase change */
    retval = kadm5_chpass_principal(handle, princ, passphrase);
    krb5_free_principal(context, princ);
    if (retval) {
    com_err(whoami, retval,
    "while changing passphrase for \"%s\".", canon);
    rcode = retval;
    }
    else
    printf("Password for \"%s\" changed.\n", canon);

    Mike

    __________________________________________________ ___________________
    Mike Friedman System and Network Security
    mikef@ack.Berkeley.EDU 2484 Shattuck Avenue
    1-510-642-1410 University of California at Berkeley
    http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
    __________________________________________________ ___________________

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBQvpeIa0bf1iNr4mCEQLMZwCgh4vOOnK9wfOG5lIN8tv1YM EZiKcAni3l
    3OtOduTan5LiIDpSdx0PERG4
    =em9m
    -----END PGP SIGNATURE-----
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: What is 'flavor'?

    >>>>> "mikef" == Mike Friedman writes:

    mikef> Actually I misspoke a bit. What I have is my own code, based on code
    mikef> in kadmin, that does a password change. (FWIW, although the client
    mikef> now has 1.3.4 installed, this code was, I believe, compiled with an
    mikef> older release of MIT K5, possibly as far back as 2001).

    That might explain it. It is only krb5-1.4 and later which have
    support for RPCSEC_GSS, so you will be using the older AUTH_GSSAPI
    authentication flavor for your custom client.

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread