Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

kpasswd fails with multiple realms

132 views
Skip to first unread message

Rich Jamieson

unread,
Jul 2, 2001, 11:47:24 AM7/2/01
to
Looks like this one has been seen before - so I get the feeling that
there is a patch out there somewhere. (search google for
"kpasswd_server David Wragg").
Im using MIT, krb5-1.2.2 on Solaris 2.8.

Ive setup multiple realms on the same server.
The problem is that kpasswd will not work for both realms.
kpasswd works with one of the realms, but not the other.

----

The error message I get is:

kpasswd rjusers/ad...@RJUSERS.RICH.COM
Password for rjusers/ad...@RJUSERS.RICH.COM:
Enter new password:
Enter it again:
Authentication error: Failed reading application request


-----

My krb5.conf is:
[libdefaults]
ticket_lifetime = 600
default_realm = RJUSERS.RICH.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

RJHOSTS.RICH.COM = {
kdc = server1.rich.com:88
admin_server = server1.rich.com:740
}

RJUSERS.RICH.COM = {
kdc = server1.rich.com:88
admin_server = server1.rich.com:720
}


[domain_realm]
.wks.rich.com = RJUSERS.RICH.COM
.srv.rich.com = RJHOSTS.RICH.COM

[logging]
kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
admin_server = FILE:/opt/MITkrb5/log/kadmin.log
default = FILE:/opt/MITkrb5/log/krb5lib.log

------

My kdc.conf is:
[kdcdefaults]
kdc_ports = 88

[realms]

RJHOSTS.RICH.COM = {
profile = /opt/MITkrb5/etc/krb5.conf
database_name =
/opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/principal
admin_keytab =
/opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.keytab
acl_file = /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.acl
dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
key_stash_file =
/opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/.k5stash
kadmind_port = 740
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4
kdc_supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des-cbc-crc:v4
}

RJUSERS.RICH.COM = {
database_name =
/opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/principal
admin_keytab =
/opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.keytab
acl_file = /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.acl
dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
key_stash_file =
/opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/.k5stash
kadmind_port = 720
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4
kdc_supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des-cbc-crc:v4
}

[logging]
kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
admin_server = FILE:/opt/MITkrb5/log/kadmin.log
default = FILE:/opt/MITkrb5/log/krb5lib.log

----
The relevant processes are:
ps -ef | grep MIT
root 4644 1 0 16:32:18 ? 0:00
/opt/MITkrb5/sbin/krb5kdc -r RJHOSTS.RICH.COM -r RJUSERS.RICH.COM
root 4647 1 0 16:32:29 ? 0:00
/opt/MITkrb5/sbin/kadmind -r -port 720
root 4649 1 0 16:32:42 ? 0:00
/opt/MITkrb5/sbin/kadmind -r RJHOSTS.RICH.COM -port 740

Note:
If I start up the "RJUSERS.RICH.COM" kadmind first, then kpasswd
will work for that realm but not the "RJHOSTS.RICH.COM" realm.

If I start up the "RJHOSTS.RICH.COM" kadmind first, then kpasswd
will work for that realm but not the "RJUSERS.RICH.COM" realm.

-----------------------------

"man kpasswd" (and nowhere else that I can see) mentions a
"kpasswd_server = host:port" entry in the krb5.conf file.
If I add a pair of these entries my kapsswd command for both realms
justs hangs.
eg:
"kpasswd_server = server1.rich.com:740" { for RJHOSTS }
and "kpasswd_server = server1.rich.com:720" { for RJUSERS }

---------

My /etc/services file contains:
grep -i ker /etc/services

klogin 543/tcp # Kerberos
authenticated rlogin
kshell 544/tcp cmd # Kerberos
authenticated remote shell
RJUSERS-kerberos-adm 720/tcp # Kerberos V5
Administration
RJUSERS-kerberos-adm 720/udp # Kerberos V5
Administration
RJHOSTS-kerberos-adm 740/tcp # Kerberos V5
Administration
RJHOSTS-kerberos-adm 740/udp # Kerberos V5
Administration
kerberos 750/udp kdc # Kerberos key server
kerberos 750/tcp kdc # Kerberos key server
kerberos-sec 88/udp kdc # MIT V5 Kerberos key
server
kerberos-sec 88/tcp kdc # MIT V5 Kerberos key
server
krb524 4444/tcp # MIT Kerberos 5 to 4
ticket translator
krb5_prop 754/tcp # Kerberos V5 KDC
propogation
eklogin 2105/tcp # Kerberos encrypted
rlogin

-----------------


As I say, I think this has been seen before.
Does anyone know where I can get a patch ?

regards

Richard Jamieson.

Donn Cave

unread,
Jul 2, 2001, 1:47:02 PM7/2/01
to
Quoth Richard....@db.com (Rich Jamieson):

| Looks like this one has been seen before - so I get the feeling that
| there is a patch out there somewhere. (search google for
| "kpasswd_server David Wragg").
| Im using MIT, krb5-1.2.2 on Solaris 2.8.
|
| Ive setup multiple realms on the same server.
| The problem is that kpasswd will not work for both realms.
| kpasswd works with one of the realms, but not the other.

I don't know about a patch, but along with

admin_server = server1.rich.com:720

you might try

kpasswd_server = server1.rich.com:454

That number picked at random, check for something that isn't the
one kadmind has already bound (464?) and isn't otherwise in use.
It's a distinct service, so it has to be on a different port
from "admin_server". Don't know if you can get kadmind to respect
this, but at least the client will. DNS fallback should also work,
SRV record _kpasswd._udp.RJUSERS.RICH.COM port 454.

Donn Cave, do...@u.washington.edu
----------------------------------------

Rich Jamieson

unread,
Jul 4, 2001, 1:52:57 PM7/4/01
to
OK - think Im getting somewhere - found a couple of workarounds anyway.

Problem seems to be that kadmind always uses port 464 for password changing.
It hard coded - I think.

True, you can set (eg: )
kpasswd_server = myserver:465
in krb5.conf.
This will make kpasswd look on port 465 for the password changing service.
However this doesnt do any good if you cant get your kadmind to "look" on
port 465. The command will just hang then time out.

Ive found two workarounds

a) Use kadmin to change the password
This doesnt use the "password service" port (default 464).
It uses the port specified by "admin_server" in krb5.conf (eg: 749).
you can fiddle with k5adm.acl to make sure that users can only change
their own passwords.
Agree - this is a bit shabby !

b) create another kadmind binary that uses a different port (say 465) for
its password service.
i) Change line in include/krb5/stock/osconf.h
to:
#define DEFAULT_KPASSWD_PORT 465

ii) rebuild binaries etc.

iii) Copy the new kadmind to kadmind.465

iv) Now you can run
kadmind -r REALM1.COM -port 740
kadmin.465 -r REALM2.COM -port 720

v) Make sure your realm emtries in krb5.conf have the relevant
kpasswd_server entry, eg:
REALM1.COM
admin_server = servername:740
kpasswd_server = servername:464

REALM2.COM
admin_server = servername:720
kpasswd_server = servername:465


Agree this is also a bit shabby :) - but possibly better than option (a)
--------

OK - both of these options work - but I guess if I was a programmer I could
come up with a more elegant solution.
Ideally I guess we'd want kadmind to look at the kpasswd_server entry in
krb5.conf ?
If anyone has a better fix (or can code one now), please could you send me a
copy ?

Can anyone confirm that this is a bug - should I report it or something ?

Richard J


Donn Cave <do...@u.washington.edu> wrote in message news:<9hqc2m$a2c$1...@nntp6.u.washington.edu>...

Turbo Fredriksson

unread,
Jul 5, 2001, 8:44:02 AM7/5/01
to
>>>>> "Rich" == Rich Jamieson <Richard....@db.com> writes:

Rich> you can fiddle with k5adm.acl to make sure that users can only
Rich> change their own passwords.

Could you give me some examples on this? I'm still quite new to Kerberos
administration...

--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson tu...@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

Cuba Ortega BATF explosion congress counter-intelligence quiche [Hello
to all my fans in domestic surveillance] domestic disruption terrorist
Nazi DES class struggle supercomputer security
[See http://www.aclu.org/echelonwatch/index.html for more about this]

Rich Jamieson

unread,
Jul 9, 2001, 5:23:49 AM7/9/01
to
Cat k5adm.acl
fred/ad...@RICHJAM.COM c fred/ad...@RICHJAM.COM

Now "fred" can run the command:
kadmin -p fred/ad...@RICHJAM.COM -r RICHJAM.COM -q "cpw fred/admin"

This makes "fred" and "admin" user in the "RICHJAM.COM" realm but all
he can do with "kadmain" is change his own password. - see "man
kadmind".


PS - This is one way to get round the multiple-realms-on-same-system
"kpasswd" problem. But I dont think im going to use this solution.
Until there's a bug-fix, I think Im going to choose the option to
compile up a second version of kadmind.

RichJ

tu...@bayour.com (Turbo Fredriksson) wrote in message news:<87bsmzp...@papadoc.bayour.com>...

Kiran Kumar M

unread,
Jul 30, 2001, 10:29:16 AM7/30/01
to

Try the following kdc.conf & krb5.conf , and restart kadmind

kdc.conf
------

[realms]
....
....
RJHOSTS.RICH.COM = {
.......
kpasswd_port = 8000
.......
}

RJUSERS.RICH.COM = {
......
kpasswd_port = 8001
......
}
.....
......

krb5.conf
-------
.......
.......

[realms]

RJHOSTS.RICH.COM = {
kdc = server1.rich.com:88
admin_server = server1.rich.com:740

kpasswd_server = server1.rich.com:8000
}

RJUSERS.RICH.COM = {
kdc = server1.rich.com:88
admin_server = server1.rich.com:720

kpasswd_server = server1.rich.com:8001
}
......
......

Rich Jamieson wrote:

--
"I'm a bear of very little brain, and big words bother me."

-- Winnie-the-Pooh ch 4, A.A.Milne

0 new messages