Bug#717660: seems like a bug in kadmind

Per Olofsson Sat, 09 Nov 2013 06:42:25 -0800

2013-11-09 14:58, Per Olofsson skrev:

I can confirm this bug as well and I've done some further experiments.
It seems that there is a problem with the kadmind in wheezy.


I'm running wheezy on both the KDC and the server. When I extract a new
keytab, I can't log in with ssh anymore. Running sshd in debug mode
(with -d), I get a GSS failure: "Wrong principal in request". However,
if I extract the keytab on the KDC with "kadmin -l" and copy it to the
server (as suggested in this bug report), then it works.


OK, I found the problem.

It seems that there is a new right in wheezy's kadmind called "get-keys"which is necessary to extract keytabs. However:

* I already had "all" rights in /etc/heimdal-kdc/kadmind.acl.Apparently, the "all" right does not include the "get-keys" right. Ichanged to "all,get-keys" and now extracting keytabs works again.

* There is no error message in kadmin when trying to extract a keytabwithout having the get-keys right. It just extracts principals but nokeys to the keytab.

* The documentation is ambiguous. The kadmind(8) man page mentions the"get-keys" right, but does not say whether "all" includes it or not. Theexample at the bottom seems to imply that "all" really includes all rights.

So something is wrong here. In my opinion, "all" rights should includethe get-keys right (it did so before), so it should simply be changed toinclude it:


--- lib/kadm5/admin.h.orig      2013-11-09 15:37:20.000000000 +0100
+++ lib/kadm5/admin.h   2013-11-09 15:37:36.000000000 +0100
@@ -201,7 +201,7 @@
 #define KADM5_PRIV_LIST                (1 << 4)
 #define KADM5_PRIV_CPW         (1 << 5)
 #define KADM5_PRIV_GET_KEYS    (1 << 6)


 typedef struct _kadm5_config_params {
     uint32_t mask;


But I'll ask upstream about it.

--
Pelle


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#717660: seems like a bug in kadmind

Reply via email to