Dear Maintainer,
That made the trick, many thanks to you. Cheers Christophe Le 11 oct. 2013 à 01:32, Brian May <[email protected]> a écrit : > To anyone suffering from this bug. > > Please try: "-k FILE:/etc/krb5.keytab" > > Which should also work[1], however, obviously, requires the key be exported > first. > > Please let me know if that helps. > > > My current understanding of the details: > > The default value of -k is "HDB:". > > Heimdal retrieves the keytab with hdb_get_entry(). As the dbname is not given > (dbname should appear to right of "HDB:"), the would recurse through the list > of known databases (find_db) until a match is found. On a default Debian > configuration this is: > > # ./lib/hdb/test_dbinfo > label: default > realm: no realm > dbname: /var/lib/heimdal-kdc/heimdal > mkey_file: /var/lib/heimdal-kdc/m-key > acl_file: /var/lib/heimdal-kdc/kadmind.acl > > The value of dbname is used. > > However before this happens, krb5_init_creds_set_keytab() is called first. > > Since change 118f99e3083144523965f3afea7bdb089253da5e, > krb5_init_creds_set_keytab() checks the result of the call to > krb5_kt_start_seq_get(). Before if this failed, it didn't matter. Now it > does. This function call ends up at hdb_start_seq_get(). Unfortunately this > function does not like the fact it was not given a specific database to work > on, and fails: > > if (dbname == NULL) { > /* > * We don't support enumerating without being told what > * backend to enumerate on > */ > ret = KRB5_KT_NOTFOUND; > return ret; > } > > This failure is propagated back up to krb5_init_creds_set_keytab(), which > calls _krb5_kt_principal_not_found(), which sets the error. This in turn get > propagated back to hprop.c, get_creds() which prints the error: > > hprop: krb5_get_init_creds: Failed to find kadmin/[email protected] in keytab > HDB: (unknown enctype) > > Thanks > > > > Notes: > > [1] From my reading of the code, the following should work too: > > "-k HDB:/var/lib/heimdal-kdc/heimdal:mkey=/var/lib/heimdal-kdc/m-key" > > However, appears to be buggy. I get: > > $7 = {dbname = 0x608e70 "/var/lib/heimdal-kdc/heimdal", mkey = 0x608ea0 > "=/var/lib/heimdal-kdc/m-key"} > > strace shows: > > open("=/var/lib/heimdal-kdc/m-key", O_RDONLY) = -1 ENOENT (No such file or > directory) > > i.e. when hdb_resolve() parses the string it fails to skip over the = sign. > > > [2] As far as I can tell all the bugs presented in this email exist in the > latest master version of Heimdal. > -- > Brian May <[email protected]>
smime.p7s
Description: S/MIME cryptographic signature
