./configure --with-berkeley-db --with-x --enable-pthread-support --enable-kcm
compiles & passes make check on SUSE Leap 4.2
However the -aklog switch isn't working.
Cab someone verify the specifiv krb5.conf swirches to enable afskog?
I have 7.0.1 up in IBM's eclipse IDE which seems to work fine
tedc
________________________________________
From: Heimdal-discuss <heimdal-discuss-boun...@h5l.org> on behalf of
heimdal-discuss-requ...@h5l.org <heimdal-discuss-requ...@h5l.org>
Sent: Thursday, December 29, 2016 1:10 AM
To: heimdal-discuss@h5l.org
Subject: Heimdal-discuss Digest, Vol 8, Issue 10
Send Heimdal-discuss mailing list submissions to
heimdal-discuss@h5l.org
To subscribe or unsubscribe via the World Wide Web, visit
https://www.h5l.org/mailman/listinfo/heimdal-discuss
or, via email, send a message with subject or body 'help' to
heimdal-discuss-requ...@h5l.org
You can reach the person managing the list at
heimdal-discuss-ow...@h5l.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Heimdal-discuss digest..."
Today's Topics:
1. Re: Heimdal 7.1 and the sqlite backend (Harald Barth)
2. Re: Heimdal 7.1 no success with database backend (sqlite and
others) (Harald Barth)
3. KDC tests fail when unrelated ticket with time skew is at the
default location (Harald Barth)
4. Re: KDC tests fail when unrelated ticket with time skew is at
the default location (Ken Dreyer)
5. Re: KDC tests fail when unrelated ticket with time skew is at
the default location (Harald Barth)
----------------------------------------------------------------------
Message: 1
Date: Wed, 28 Dec 2016 14:17:01 +0100 (CET)
From: Harald Barth <h...@kth.se>
To: n...@cryptonector.com
Cc: heimdal-disc...@sics.se
Subject: Re: Heimdal 7.1 and the sqlite backend
Message-ID:
<20161228.141701.198933457262321705.h...@habook.pdc.kth.se>
Content-Type: Text/Plain; charset=us-ascii
> So, in /etc/krb5.conf you should have this:
>
> [hdb]
> db-dir = /var/heimdal
>
> (or wherever you put your HDB)
Sure, and then it gets more and more confusing. I now start the
kdc and the kadmin with -c /etc/krb5.conf and have a symlink
in /var/heimdal/kdc.conf pointing to /etc/krb5.conf.
# /usr/heimdal-7.1.0/libexec/kdc -c /etc/krb5.conf&
[1] 80459
# /usr/heimdal-7.1.0/bin/kadmin -l -c /etc/krb5.conf
kadmin> get *
kadmin: opening database: dbm_open(/var/heimdal/heimdal): No such file or
directory
kadmin: kadm5_get_principals: dbm_open(/var/heimdal/heimdal): No such file or
directory
kadmin> init TEST.PDC.KTH.SE
kadmin: hdb_open: hdb_open: failed initialize database /var/heimdal/heimdal
kadmin>
So kadmin is sure doing the wrong thing here
# cat /etc/krb5.conf
[hdb]
db-dir = /var/heimdal
dbname = sqlite:/var/heimdal/mydb.sqlite
[kdc]
database = {
dbname = sqlite:/var/heimdal/mydb.sqlite
realm = TEST.PDC.KTH.SE
}
require_preauth = true
enable-http = true
tgt-use-strongest-session-key = true
svc-use-strongest-session-key = true
preauth-use-strongest-session-key = true
use-strongest-server-key = true
kdc_warn_pwexpire = 1w
[logging]
kdc = 0-/FILE:/var/heimdal/kdc.log
kdc = 0-/SYSLOG:INFO:USER
default = 0-/FILE:/var/log/heimdal.log
Then I get the following logging from the kdc startup:
2016-12-28T13:57:20 label: default
2016-12-28T13:57:20 dbname: sqlite:/var/heimdal/mydb.sqlite
2016-12-28T13:57:20 mkey_file: sqlite:/var/heimdal/mydb.mkey
2016-12-28T13:57:20 acl_file: /var/heimdal/kadmind.acl
So the problem seems to be that I can not convince kadmin to open the
same database because I don't know what to write in the krb5.conf
to make that happen. I can verify with ktrace that /etc/krb5.conf
(see above) actually is read but then what logic is applied when
parsing - I have not found out how to follow that.
Harald.
------------------------------
Message: 2
Date: Wed, 28 Dec 2016 17:13:48 +0100 (CET)
From: Harald Barth <h...@kth.se>
To: heimdal-disc...@sics.se
Subject: Re: Heimdal 7.1 no success with database backend (sqlite and
others)
Message-ID:
<20161228.171348.1317098851444232743.h...@habook.pdc.kth.se>
Content-Type: Text/Plain; charset=us-ascii
Well, not even when I unconfigure sqlite support it does not pass make check.
Error message: "kadmin: No database support for /var/heimdal/heimdal"
So I suspect that with
# ./configure --with-libintl --with-libintl-include=/usr/local/include
--with-libintl-lib=/usr/local/lib --prefix=/usr/heimdal-7.1.0-lmdb
--disable-kcm --with-openssl --with-openssl-include=/usr/include
--with-openssl-lib=/usr/lib --disable-otp --enable-pthread-support
--with-readline=/usr/local --with-hdbdir=/var/heimdal --without-berkeley-db
--enable-digest --with-ipv6 --enable-kx509 --without-openldap --enable-pk-init
--without-sqlite3 --with-x --x-libraries=/usr/local/lib
--x-includes=/usr/local/include --localstatedir=/var --disable-silent-rules
--disable-ndbm-db --enable-mdb-db "CFLAGS=-I/usr/local/include"
LDFLAGS="-L/usr/local/lib -Wl,-rpath -Wl,/usr/local/lib -lintl"
it does produce some kind of broken hdb library that will not pass
make check, at least not om FreeBSD11 :-(
I'll continue in the search for a configure line that actually makes
something that passes make check to start with.
Harald.
------------------------------
Message: 3
Date: Wed, 28 Dec 2016 20:48:46 +0100 (CET)
From: Harald Barth <h...@kth.se>
To: heimdal-disc...@sics.se
Subject: KDC tests fail when unrelated ticket with time skew is at the
default location
Message-ID:
<20161228.204846.336360576392363946.h...@habook.pdc.kth.se>
Content-Type: Text/Plain; charset=us-ascii
If there is an unrelated ticket with time skew at the default location
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: h...@stacken.kth.se
Cache version: 4
KDC time offset: -23 minutes 22 seconds
Server: krbtgt/stacken.kth...@stacken.kth.se
Client: h...@stacken.kth.se
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 328
Auth time: Dec 22 13:33:51 2016
End time: Dec 29 13:33:51 2016
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless
the following tests fail for that reason (shouldn't the tests be
independent of such stuff like unrelated old tickets?)
FAIL: check-kdc
FAIL: check-kdc-weak
When I remove the offending ticket:
PASS: check-kdc
PASS: check-kdc-weak
Now I "only" have to find the reason why these still fail in the kdc tests:
FAIL: check-pkinit
FAIL: check-iprop
Harald.
------------------------------
Message: 4
Date: Wed, 28 Dec 2016 17:35:40 -0700
From: Ken Dreyer <ktdre...@ktdreyer.com>
To: Harald Barth <h...@kth.se>
Cc: heimdal-disc...@sics.se
Subject: Re: KDC tests fail when unrelated ticket with time skew is at
the default location
Message-ID:
<CAD3FbMWFpgCcT67Gtfw4zdL+Tf84v4=fmo99wyvhn7uw416...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Wed, Dec 28, 2016 at 12:48 PM, Harald Barth <h...@kth.se> wrote:
> the following tests fail for that reason (shouldn't the tests be
> independent of such stuff like unrelated old tickets?)
It would be nice to use EXAMPLE.ORG realms or something that will
never resolve to a real realm.
> Now I "only" have to find the reason why these still fail in the kdc tests:
>
> FAIL: check-pkinit
> FAIL: check-iprop
Typically the build system leaves some logs behind during "make check"
in each test directory (eg tests/kdc/test-suite.log). You can look
through the tests/kdc code and identify what exact command fails, then
run that command by hand to get more details (is it a crash?)
- Ken
------------------------------
Message: 5
Date: Thu, 29 Dec 2016 10:10:22 +0100 (CET)
From: Harald Barth <h...@kth.se>
To: ktdre...@ktdreyer.com
Cc: heimdal-disc...@sics.se
Subject: Re: KDC tests fail when unrelated ticket with time skew is at
the default location
Message-ID:
<20161229.101022.612786380250033907.h...@habook.pdc.kth.se>
Content-Type: Text/Plain; charset=us-ascii
> It would be nice to use EXAMPLE.ORG realms or something that will
> never resolve to a real realm.
It _does_ use a test realm, but the test never the less is disturbed
by a completely unrelated ticket at the default ticket location. That
is a bug in the testing framework or in some utility which does not
obide setting KRB5CCNAME and looks at other locations anyway.
> Typically the build system leaves some logs behind during "make check"
> in each test directory (eg tests/kdc/test-suite.log).
Yesss, thanks, now next workday and now I continue the hunt for bugs with
new coffee and bash -x.
>> FAIL: check-pkinit
This seems to be one more bug in the test-suite. What I get is
+ /usr/local/src/heimdal-7.1.0-build-lmdb/kuser/kinit -c FILE:../../tests/kdc/c\
ache.krb5 --no-afslog -C PKCS11:../../tests/kdc/../../lib/hx509/.libs/libhx509.\
so f...@test.h5l.se
kinit: Password incorrect
Which is from check-pkinit around these lines:
for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
if [ -f $dir/$a ] ; then
file=$dir/$a
break
fi
done
if [ X"$file" != X -a true ] ; then
echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
${kinit} -C PKCS11:${file} foo@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
fi
The "-C PKCS11:${file}" seems broken. I guess the -C flag should take
a cert and not a library as an argument. BTW, the -C flag is not
documented in the kinit manual page and it would be good if the messages
"Trying..." would be unique.
>> FAIL: check-iprop
This error was due to wc not being compatible between Linux and FreeBSD:
linux$ echo foo | wc -l
1
freebsd$ echo foo | wc -l
1
Note the extra spaces which blow up in the following expr which
can not handle that.
Patch:
--- check-iprop.in.orig 2016-12-29 10:25:05.379171000 +0100
+++ check-iprop.in 2016-12-29 10:25:47.205435000 +0100
@@ -384,7 +384,7 @@
# and LMDB levels.
#
echo "checking that principals in DB == entries in LMDB"
- princs=`${kadmin} -l list '*' | wc -l`
+ princs=`${kadmin} -l list '*' | wc -l | awk '{print $1}'`
entries=`mdb_stat -n current-db.mdb | grep 'Entries:' | awk '{print $2}'`
[ "`expr 1 + "$princs"`" -eq "$entries" ] || exit 1
fi
I think it's OK to use awk to get rid of the whitespace as awk already
is used in the script. Other alternative to get rid of spaces would
be
+ set `${kadmin} -l list '*' | wc -l`
+ princs=$1
Now back to testing different database backends,
Harald.
------------------------------
Subject: Digest Footer
_______________________________________________
Heimdal-discuss mailing list
Heimdal-discuss@h5l.org
https://www.h5l.org/mailman/listinfo/heimdal-discuss
------------------------------
End of Heimdal-discuss Digest, Vol 8, Issue 10
**********************************************
