The problem we're seeing is that the Kerby server admin accounts aren't configured to be compliant with the MIT kadmin account. Kerby allows the user to use a TGT to acquire a service ticket for kadmin, while MIT doesn't, so the auth methods are misaligned. I've recreated some C++ libraries I wrote to do this a while back, hopefully I can use them to help trace through and see where our packets are being malformed.
Thanks for the response, we'll keep plugging and let you know what we figure out. Shawn "The programmer … works only slightly removed from pure thought-stuff. He builds his castles in the air, from air, creating by exertion of the imagination." — Fred Brooks Shawn Smith Director of Software Engineering Administrative Information Services Penn State University 814-321-5227 [email protected] https://keybase.io/ussmith ----- Original Message ----- From: "Zheng, Kai" <[email protected]> To: "Apache Directory Developers List" <[email protected]>, [email protected] Sent: Friday, August 5, 2016 5:48:31 PM Subject: RE: Kerby Remote KAdmin Hi Shawn, I don't have a deep dive in that, but I thought what's been going is to get it work first in kerby remote client -> kerby admin server, in a protocol approach (XDR) aligned with MIT Kerberos admin. After that effort will be made to get it work with MIT admin using kerby admin client. Yan Yan is the major contributor but she had left the team so I'm not sure she will keep the contribution or not. Another contributor Qing from the team is working on a remote web UI interface at his willing. Regards, Kai -----Original Message----- From: SHAWN E SMITH [mailto:[email protected]] Sent: Friday, August 05, 2016 10:14 PM To: Apache Directory Developers List <[email protected]> Subject: Kerby Remote KAdmin All, We've been working on getting the protocol working against an MIT Kerb instance. Based on byte tracing in wireshark we think we're pretty close, but something is still not lining up cleanly. Has anyone else done a deep dive on this that may be able to provide some feedback on what we're doing? I'd like to find a good way to share what we're doing, but most of it is outside of core kerby so I'm not sure where to put it for others to see it. Thanks, Shawn Any fool can write code that a computer can understand. Good programmers write code that humans can understand. --Martin Fowler Shawn Smith Director of Software Engineering Administrative Information Services 814-321-5227 [email protected] https://keybase.io/ussmith
