Hi, I'm using MIT Kerberos with an LDAP backend on Ubuntu Linux systems for some years now. During an update from 1.10.x to 1.12.x I'm observing some trouble:
1. It seems like the LDAP backend now requires to have the krbRealmContainer
objects under an object of class krbContainer. Formerly it was happily working
under an "ou=kerberos" node. However, it is feasible to change my LDAP
structure in this way, so that this not really a problem.
2. What really causes me headaches is that some krbPrincipalKeys can no longer
be parsed. They trigger errors like "unable to decode stored principal key data
(ASN.1 structure is missing a required field) while retrieving
"{anonymized}@IBR.CS.TU-BS.DE". It seems like this happens only for keys that
have not been changed for quite some time: I asked a user who had a key that
caused this error to change his password using an older 1.10-based kadmind.
Afterwards the new 1.12.x-based programs were able to parse it.
So far, I found out that this ASN1_MISSING_FIELD is triggerd in
lib/krb5/asn.1/asn1_encode.c:omit_atype().
kadmin.local gives this getprinc output for working and non-working principals
on 1.10 and 1.12:
WORKING on 1.10:
Number of keys: 8
Key: vno 92, aes256-cts-hmac-sha1-96, Version 5
Key: vno 92, arcfour-hmac, Version 5
Key: vno 92, des3-cbc-sha1, Version 5
Key: vno 92, des-cbc-crc, Version 5
Key: vno 92, des-cbc-md5, Version 4
Key: vno 92, des-cbc-md5, Version 5 - No Realm
Key: vno 92, des-cbc-md5, Version 5 - Realm Only
Key: vno 92, des-cbc-md5, AFS version 3
MKey: vno 1
NOT WORKING on 1.10:
Number of keys: 8
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
Key: vno 2, des-cbc-md5, Version 4
Key: vno 2, des-cbc-md5, Version 5 - No Realm
Key: vno 2, des-cbc-md5, Version 5 - Realm Only
Key: vno 2, des-cbc-md5, AFS version 3
MKey: vno 1
WORKING on 1.12:
Number of keys: 8
Key: vno 92, aes256-cts-hmac-sha1-96, no salt
Key: vno 92, arcfour-hmac, no salt
Key: vno 92, des3-cbc-sha1, no salt
Key: vno 92, des-cbc-crc, no salt
Key: vno 92, des-cbc-md5, no salt
Key: vno 92, des-cbc-md5, Version 5 - No Realm
Key: vno 92, des-cbc-md5, Version 5 - Realm Only
Key: vno 92, des-cbc-md5, AFS version 3
MKey: vno 1
NOT WORKING on 1.12:
get_principal: unable to decode stored principal key data (ASN.1 structure is
missing a required field) while retrieving "{anonymized}@IBR.CS.TU-BS.DE".
Did this krbPrincipalKey type change? Is there a tool to fix old keys?
-frank
signature.asc
Description: Message signed with OpenPGP using GPGMail
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
