[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heimdal 0.6.5 kinit from keytab/srvtab: oddness

To: heimdal-discuss@sics.se
Subject: heimdal 0.6.5 kinit from keytab/srvtab: oddness
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
Date: Thu, 01 Sep 2005 12:58:01 -0400
Sender: owner-heimdal-discuss@sics.se

We noticed after upgrading to 0.6.5 that kinit didn't work reliably from
keytabs/srvtabs any more.  Some principals work, others fail.

Working principal:
kadmin> get -l audit
               Principal: audit@ECE.CMU.EDU
       Principal expires: never
        Password expires: never
    Last password change: never
         Max ticket life: 1 day 1 hour
      Max renewable life: unlimited
                    Kvno: 1
                   Mkvno: 0
                  Policy: none
   Last successful login: never
       Last failed login: never
      Failed login count: 0
           Last modified: 2000-11-13 16:24:02 UTC
                Modifier: admin@ECE.CMU.EDU
              Attributes:
Keytypes(salttype[(salt-value)]): des-cbc-crc(afs3-salt(ece.cmu.edu)), des-cbc-md4(afs3-salt(ece.cmu.edu)), des-cbc-md5(afs3-salt(ece.cmu.edu)), des3-cbc-sha1(pw-salt)

(one of many) Failing principal:

kadmin> get -l opr
               Principal: opr@ECE.CMU.EDU
       Principal expires: never
        Password expires: never
    Last password change: never
         Max ticket life: 1 day 1 hour
      Max renewable life: unlimited
                    Kvno: 6
                   Mkvno: 0
                  Policy: none
   Last successful login: never
       Last failed login: never
      Failed login count: 0
           Last modified: 2002-05-21 14:26:24 UTC
                Modifier: admin@ECE.CMU.EDU
              Attributes:
Keytypes(salttype[(salt-value)]): des3-cbc-sha1(pw-salt), des-cbc-md5(pw-salt()), des-cbc-md4(pw-salt()), des-cbc-crc(pw-salt()), des-cbc-md5(afs3-salt(ece.cmu.
edu)), des-cbc-md4(afs3-salt(ece.cmu.edu)), des-cbc-crc(afs3-salt(ece.cmu.edu))

>From here it gets kind of odd.  Here's another principal, just created
today, that we've been working with:

kadmin> get -l lsfclient
               Principal: lsfclient@ECE.CMU.EDU
       Principal expires: never
        Password expires: never
    Last password change: never
         Max ticket life: 1 day 1 hour
      Max renewable life: unlimited
                    Kvno: 1
                   Mkvno: 0
                  Policy: none
   Last successful login: never
       Last failed login: never
      Failed login count: 0
           Last modified: 2005-09-01 15:13:31 UTC
                Modifier: admin@ECE.CMU.EDU
              Attributes: disallow-postdated
Keytypes(salttype[(salt-value)]): arcfour-hmac-md5(pw-salt), des3-cbc-sha1(pw-salt), des-cbc-md5(pw-salt()), des-cbc-md4(pw-salt()), des-cbc-crc(pw-salt()), des-cbc-md5(afs3-salt(ece.cmu.edu)), des-cbc-md4(afs3-salt(ece.cmu.edu)), des-cbc-crc(afs3-salt(ece.cmu.edu))

And keytab and srvtab extracted therefrom:

lsf.keytab:

Vno  Type              Principal
  1  arcfour-hmac-md5  lsfclient@ECE.CMU.EDU
  1  des3-cbc-sha1     lsfclient@ECE.CMU.EDU
  1  des-cbc-md5       lsfclient@ECE.CMU.EDU
  1  des-cbc-md4       lsfclient@ECE.CMU.EDU
  1  des-cbc-crc       lsfclient@ECE.CMU.EDU
  1  des-cbc-md5       lsfclient@ECE.CMU.EDU
  1  des-cbc-md4       lsfclient@ECE.CMU.EDU
  1  des-cbc-crc       lsfclient@ECE.CMU.EDU

SRVTAB:lsf.srvtab:

Vno  Type         Principal
  1  des-cbc-md5  lsfclient@ECE.CMU.EDU
  1  des-cbc-md4  lsfclient@ECE.CMU.EDU
  1  des-cbc-crc  lsfclient@ECE.CMU.EDU
  1  des-cbc-md5  lsfclient@ECE.CMU.EDU
  1  des-cbc-md4  lsfclient@ECE.CMU.EDU
  1  des-cbc-crc  lsfclient@ECE.CMU.EDU

Start with the srvtab:

2@bajinaji000:511 Z# od -c lsf.srvtab
0000000   l   s   f   c   l   i   e   n   t  \0  \0   E   C   E   .   C
0000020   M   U   .   E   D   U  \0 001   簿聶翻 \v  \b   O   C 001      @
0000040   l   s   f   c   l   i   e   n   t  \0  \0   E   C   E   .   C
0000060   M   U   .   E   D   U  \0 001   簿聶翻  簿聶翻  簿聶翻   224
0000100

I count only two keys there; where'd ktutil get six?

The keytab is even weirder:  after examining the above "get" lists, we
concluded that it might be a good idea to remove all the krb4 keys (the
one difference that stands out to me is that the working principal has
no krb4 keys with pw-salt, only with afs3-salt; but you can't delete
keys by salt type).  Which led to:

2@bajinaji000:512 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-md5
2@bajinaji000:513 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-md4
2@bajinaji000:514 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-crc
2@bajinaji000:515 Z# kinit --use-keytab --keytab=/tmp/lsf.keytab -n lsfclient
kinit: krb5_get_init_creds: failed to find lsfclient@ECE.CMU.EDU in keytab /tmp/lsf.keytab
2@bajinaji000:516 Z# ktutil -k lsf.keytab list
lsf.keytab:

Vno  Type              Principal
  1  arcfour-hmac-md5  lsfclient@ECE.CMU.EDU
  1  des3-cbc-sha1     lsfclient@ECE.CMU.EDU

I'm flummoxed...

-- 
brandon s. allbery   [linux,solaris,freebsd,perl]      allbery@kf8nh.com
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH

Follow-Ups:
- Re: heimdal 0.6.5 kinit from keytab/srvtab: oddness
  - From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
- Re: heimdal 0.6.5 kinit from keytab/srvtab: oddness
  - From: Love H顤nquist 彎trand <lha@kth.se>

Next by Date: No Subject
Next by thread: Re: heimdal 0.6.5 kinit from keytab/srvtab: oddness
Index(es):
- Date
- Thread