I run the ipa-getkeytab command as the user I'm changing the password for.

New info: On the server, in my /etc/krb5.conf file I have
"allow_weak_crypto = true". If I remove that from the file, changing the
password via ipa-getkeytab no longer works. The kinit command on the
Solaris client results in a segmentation fault. When I put
"allow_weak_crypto = true" back into the krb5.conf file and change the
password via ipa-getkeytab the kinit command on the Solaris client works
normally.

The ipa-getkeytab command must somehow be referencing "allow_weak_crypto"
and storing the password differently depending on it.

On Wed, Mar 27, 2013 at 5:51 AM, Simo Sorce <s...@redhat.com> wrote:

> On Wed, 2013-03-27 at 12:23 +0100, Sumit Bose wrote:
> > >
> > > I did (as admin@REALM user). But we hardcode root/admin@REALM if
> > this is
> > > administrative change:
> > >
> > > ipapwd_chpwop():
> > > ...
> > >     if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
> > >         principal = slapi_entry_attr_get_charptr(pwdata.target,
> > >
> > "krbPrincipalName");
> > >     } else {
> > >         principal = slapi_ch_smprintf("root/admin@%s",
> > krbcfg->realm);
> > >     }
> > > ...
> > >
> > > Maybe the root cause of the crash is that we place there a principal
> > > (root/admin@REALM) which does not exist. But this is just a
> > speculation.
> >
> > ok, the principal is odd, and I guess this should be fixed, but maybe
> > Simo knows some more history here. But nevertheless I think it is
> > unrelated to the crash, becaus afaik this information is not send to
> > the
> > client and only used for book-keeing and auditing on the server side.
> >
> I don't recall the root/admin story, looks odd to me, but nothing of
> this matter to a *client* segfaulting.
>
> Clients do not get access to this data this is purely internal metadata
> used by kadmin and the KDC.
>
> What I wonder is if the client is segfaulting when the password is
> expired due to a bug in handling the request to immediately change the
> password ?
>
> David,
> if you kinit on a Linux machine and make sure you properly change the
> password of the user (as the user no as an admin), and then kinit again
> with the new credentials on Solaris, does it 'solve' your segfault
> issue ?
>
> In any case a segfault in a client command is something you need to
> report to your OS vendor, even if it is indirectly caused by the server
> it shows a potential attack vector and it is particularly worrying in
> something like kinit that may be run as root on a box.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to