Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege" (Corrected)

2017-06-29 Thread Henry B (Hank) Hotz, CISSP
> On Jun 29, 2017, at 12:45 PM, Nico Williams wrote: > > On Thu, Jun 29, 2017 at 11:41:41AM -0700, Henry B (Hank) Hotz, CISSP wrote: >>> On Jun 28, 2017, at 8:11 AM, Nico Williams wrote: >>> On Wed, Jun 28, 2017 at 07:28:59AM +0200, Lars-Johan

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-29 Thread Henry B (Hank) Hotz, CISSP
> On Jun 29, 2017, at 12:45 PM, Nico Williams wrote: > > On Thu, Jun 29, 2017 at 11:41:41AM -0700, Henry B (Hank) Hotz, CISSP wrote: >>> On Jun 28, 2017, at 8:11 AM, Nico Williams wrote: >>> On Wed, Jun 28, 2017 at 07:28:59AM +0200, Lars-Johan

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-29 Thread Nico Williams
On Thu, Jun 29, 2017 at 11:41:41AM -0700, Henry B (Hank) Hotz, CISSP wrote: > > On Jun 28, 2017, at 8:11 AM, Nico Williams wrote: > > On Wed, Jun 28, 2017 at 07:28:59AM +0200, Lars-Johan Liman wrote: > >> Please fix this, either by changing the name "all" to "most" (or > >>

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-28 Thread Chaskiel Grundman
I have a toolset deployed at Carnegie Mellon that attempts to address some of these problems (automatic rekeying of services and purging of old keys from keytabs). https://github.com/cg2v/krb-rekey The protocol is probably too cute and non-standard for people to want to use, and there isn't

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-28 Thread Nico Williams
On Wed, Jun 28, 2017 at 12:08:31AM -0500, Nico Williams wrote: > We do need better key mgmt support though. It'd nice to have automatic > rekeying and expunging of keys too old to be needed for decrypting > extant live tickets. Viktor points out that we do have server-side (in libkadm5, thus

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-28 Thread Jeffrey Altman
On 6/28/2017 1:17 AM, Russ Allbery wrote: > Nico Williams writes: > >> We do need better key mgmt support though. It'd nice to have automatic >> rekeying and expunging of keys too old to be needed for decrypting >> extant live tickets. > > Yes, please, or I will inflict

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-28 Thread Nico Williams
On Tue, Jun 27, 2017 at 10:17:40PM -0700, Russ Allbery wrote: > Nico Williams writes: > > > We do need better key mgmt support though. It'd nice to have automatic > > rekeying and expunging of keys too old to be needed for decrypting > > extant live tickets. > > Yes,

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Lars-Johan Liman
All (pun intended!), On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote: >> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal >> having all rights on the database is unable to extract keytabs: n...@cryptonector.com: > This is on purpose. > We decided that it

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Russ Allbery
Nico Williams writes: > We do need better key mgmt support though. It'd nice to have automatic > rekeying and expunging of keys too old to be needed for decrypting > extant live tickets. Yes, please, or I will inflict my hideous shell script on you that does this (using

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Nico Williams
On Tue, Jun 27, 2017 at 05:44:25PM -0700, Russ Allbery wrote: > Jeffrey Hutzelman writes: > > ext_keytab is poorly-named. In MIT Kerberos, it doesn't actually extract > > anything; it generates a new key with a new kvno and stores it in both > > the keytab and the kdb. MIT kadmind,

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Russ Allbery
Jeffrey Hutzelman writes: > ext_keytab is poorly-named. In MIT Kerberos, it doesn't actually extract > anything; it generates a new key with a new kvno and stores it in both > the keytab and the kdb. MIT kadmind, going back as far as krb4, didn't > even have an operation to fetch

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Jeffrey Hutzelman
On Tue, 2017-06-27 at 16:42 -0700, Henry B (Hank) Hotz, CISSP wrote: > > > > On Jun 27, 2017, at 4:23 PM, Nico Williams > > wrote: > > > > We decided that it was never a good idea for "all" to have meant > > "extract keys", because in general that's not desirable. > How

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Henry B (Hank) Hotz, CISSP
> On Jun 27, 2017, at 4:23 PM, Nico Williams wrote: > > We decided that it was never a good idea for "all" to have meant > "extract keys", because in general that's not desirable. How is extracting keys different from extracting a keytab (with the keys inside it)?

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Nico Williams
On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote: > Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal > having all rights on the database is unable to extract keytabs: This is on purpose. We decided that it was never a good idea for "all" to have meant

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Henry B (Hank) Hotz, CISSP
I’m with Love’s comment. Sounds like we did something different for some reason? Sounds like the current behavior is confusing, and therefore wrong, but I’ll have to make sure I understand it. I don’t think being able to get passwords is a different privilege from getting keys. Getting keytabs

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-26 Thread Andreas Haupt
Sorry for replying to myself but I guess, I found the answer: https://github.com/heimdal/heimdal/issues/96 contains the discussion. When the kadmind.acl looks like this, the kadmin 'privileges' command won't contain the 'get-keys' right, but ext_keytab will work anyway: [kdc1] /root # cat