Re: Preliminary patch for libkadm5srv hooks

Love Hörnquist Åstrand <lha <at> kth.se> writes:

> Yes, the idea was to have stacking, but do it though the lib/hdb/hdb.c
> layer where is doing all the processing, so that the individual layers
> are not ware of each other.

> I'm don't know how reasonable it is or how to handle errors just that
> api seemed very much the same.

Well, it's a very tiny subset.  For my purposes, even including deletions
and renames, I'd only want to implement:

    hdb_store
    hdb_remove
    hdb_password

The semantics are also a little wrong in that I'd like to distinguish
between a modify that only updates flags, a creation of a new entry, and a
password change, which hdb_store doesn't really let me do.  It would also
be nice to have a principal rename as a first-class operation rather than
as a fetch, remove, and store, which I assume is how it's implemented now
(I haven't gone and looked).  And as mentioned, for an hdb_store that
creates a new principal, I'd need the actual password and not just the
keys.

Stacked databases are a nice general solution that could be made to solve
this problem as well, but they'd be a bit more complicated and I think the
way in which the rest of Heimdal calls into the database layer would have
to be changed to provide the password rather than the keys in more places.

Re: Very verbose Heimdal KDC logging

Love Hörnquist Åstrand <lha <at> kth.se> writes:

> Should probably switch to a less verbose format, considering to switch
> to an auditing format and just do the kdc_log for debugging.

> Any other ideas ?

I would love to have a log output format that has one line per input
request so that I don't have to correlate multiple lines to a request.
I'm not sure if that's implied by an auditing format; I'm woefully
ignorant about audit subsystems and what people do with them these days
and should fix that.

So, in other words, here's what I currently see (with the leading syslog
stuff stripped off:

    AS-REQ rra <at> stanford.edu from IPv4:171.64.11.53 for krbtgt/stanford.edu <at> stanford.edu
    No preauth found, returning PREAUTH-REQUIRED -- rra <at> stanford.edu
    sending 244 bytes to IPv4:171.64.11.53
    AS-REQ rra <at> stanford.edu from IPv4:171.64.11.53 for krbtgt/stanford.edu <at> stanford.edu
    Client sent patypes: encrypted-timestamp
    Looking for PKINIT pa-data -- rra <at> stanford.edu
    Looking for ENC-TS pa-data -- rra <at> stanford.edu
    ENC-TS Pre-authentication succeeded -- rra <at> stanford.edu using aes256-cts-hmac-sha1-96
    Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1,
arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-
    Requested flags: renewable, forwardable
    AS-REQ authtime: 2010-03-02T14:53:50 starttime: unset endtime: 2010-03-03T15:53:48 renew till: 2010-03-09T14:53:48
    sending 654 bytes to IPv4:171.64.11.53
    TGS-REQ rra <at> stanford.edu from IPv4:171.64.11.53 for host/heimdal-uat.stanford.edu <at> stanford.edu

Re: Very verbose Heimdal KDC logging

> I would love to have a log output format that has one line per input
> request so that I don't have to correlate multiple lines to a request.

Yes.

When logging in a single line is not possible, there should be som
kind of session id. Some unique number.

Harald.

kadmind ignores config file / database settings

Hi List,

I have a Heimdal 1.3.1 kdc running on a Solaris 10 box using an OpenLDAP
2.4.21 server as the backend. Works like a charm so far.

Now I'm trying to get kadmind running to enable remote administration
but for some reason it seems to be ignoring the configuration. Logs
don't say much about it, but when I 'truss' kadmind I can clearly see
how it tries to access some '/var/heimdal/heimdal.pag' file that doesn't
exist and the LDAP logs only show some reads from the kdc which
authenticates the admin principal just fine.

Another indicator that my config is just ignored is that it's using the
default-path to look for the master key file instead of the path
configured in krb5.conf.

Is this a bug or am I missing something? Do I have to tell kadmind
separately to use LDAP?

Any help would be appreciated.

Regards,
Christian Manal

# $Id: krb5.conf,v 1.2 2009/11/13 12:26:37 root Exp $

[libdefaults]
   default_realm = EXAMPLE.COM
   kdc_timesync = 1

Re: kadmind ignores config file / database settings

Try using the --config-file=/var/heimdal/kdc.conf option when you start up kadmind.  Also remember that
Heimdal will use /etc/krb5.conf, not the Solaris /etc/krb5/krb5.conf file (unless you have taken
special pains to change that during the build).

On Mar 4, 2010, at 1:34 AM, Christian Manal wrote:

> Hi List,
> 
> I have a Heimdal 1.3.1 kdc running on a Solaris 10 box using an OpenLDAP
> 2.4.21 server as the backend. Works like a charm so far.
> 
> Now I'm trying to get kadmind running to enable remote administration
> but for some reason it seems to be ignoring the configuration. Logs
> don't say much about it, but when I 'truss' kadmind I can clearly see
> how it tries to access some '/var/heimdal/heimdal.pag' file that doesn't
> exist and the LDAP logs only show some reads from the kdc which
> authenticates the admin principal just fine.
> 
> Another indicator that my config is just ignored is that it's using the
> default-path to look for the master key file instead of the path
> configured in krb5.conf.
> 
> Is this a bug or am I missing something? Do I have to tell kadmind
> separately to use LDAP?
> 
> Any help would be appreciated.
> 
> 
> Regards,
> Christian Manal

Re: kadmind ignores config file / database settings

Henry B. Hotz schrieb:
> Try using the --config-file=/var/heimdal/kdc.conf option when you start up kadmind.  Also remember
that Heimdal will use /etc/krb5.conf, not the Solaris /etc/krb5/krb5.conf file (unless you have taken
special pains to change that during the build).
> 

Sorry, I should have mentioned that I already did that and that 'truss'
showed that the file is actually opened. I also have placed symlinks to
my krb5.conf at all the locations Heimdal and Solaris are looking for
it. Still doesn't work.

> On Mar 4, 2010, at 1:34 AM, Christian Manal wrote:
> 
>> Hi List,
>>
>> I have a Heimdal 1.3.1 kdc running on a Solaris 10 box using an OpenLDAP
>> 2.4.21 server as the backend. Works like a charm so far.
>>
>> Now I'm trying to get kadmind running to enable remote administration
>> but for some reason it seems to be ignoring the configuration. Logs
>> don't say much about it, but when I 'truss' kadmind I can clearly see
>> how it tries to access some '/var/heimdal/heimdal.pag' file that doesn't
>> exist and the LDAP logs only show some reads from the kdc which
>> authenticates the admin principal just fine.
>>
>> Another indicator that my config is just ignored is that it's using the
>> default-path to look for the master key file instead of the path
>> configured in krb5.conf.
>>
>> Is this a bug or am I missing something? Do I have to tell kadmind

Re: kadmind ignores config file / database settings

Christian Manal schrieb:
> Henry B. Hotz schrieb:
>> Try using the --config-file=/var/heimdal/kdc.conf option when you start up kadmind.  Also remember
that Heimdal will use /etc/krb5.conf, not the Solaris /etc/krb5/krb5.conf file (unless you have taken
special pains to change that during the build).
>>
> 
> Sorry, I should have mentioned that I already did that and that 'truss'
> showed that the file is actually opened. I also have placed symlinks to
> my krb5.conf at all the locations Heimdal and Solaris are looking for
> it. Still doesn't work.
> 
> 
>> On Mar 4, 2010, at 1:34 AM, Christian Manal wrote:
>>
>>> Hi List,
>>>
>>> I have a Heimdal 1.3.1 kdc running on a Solaris 10 box using an OpenLDAP
>>> 2.4.21 server as the backend. Works like a charm so far.
>>>
>>> Now I'm trying to get kadmind running to enable remote administration
>>> but for some reason it seems to be ignoring the configuration. Logs
>>> don't say much about it, but when I 'truss' kadmind I can clearly see
>>> how it tries to access some '/var/heimdal/heimdal.pag' file that doesn't
>>> exist and the LDAP logs only show some reads from the kdc which
>>> authenticates the admin principal just fine.
>>>
>>> Another indicator that my config is just ignored is that it's using the
>>> default-path to look for the master key file instead of the path
>>> configured in krb5.conf.

Re: Compatibility issues with MIT and Heimdal ?

I still have the problem with Heimdal 1.3.1 against a MIT 1.6.3 kdc. I now 
have done the following test:

kinit markus <at> SUSE.HOME
kgetcred rcmd/opensuse11.suse.home <at> SUSE.HOME
kgetcred: krb5_get_creds: Decrypt integrity check failed

Using gdb I get to lib/krb5/crypto.c line 2370 (function ARCFOUR_subdecrypt)

    if (ct_memcmp (cksum.checksum.data, data, 16) != 0) {
        krb5_clear_error_message (context);
        return KRB5KRB_AP_ERR_BAD_INTEGRITY;
    } else {
        return 0;
    }

I see the same error with a AD domain which has full trust to the MIT 
domain.

kinit mm <at> WIN2003R2.HOME
kgetcred rcmd/opensuse11.suse.home <at> SUSE.HOME
kgetcred: krb5_get_creds: Decrypt integrity check failed

but the cause is in lib/krb5/ticket.c line 485 (function 
check_server_referral)

noreferral:
    if (krb5_principal_compare(context, requested, returned) == FALSE) {
        krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
                               N_("Not same server principal returned "

Re: kadmind ignores config file / database settings

On Mar 5, 2010, at 3:07 AM, Christian Manal wrote:

> Hi again,
> 
> I've got it working now. I just had to use about every commandline
> option available for kadmind to tell it which realm, keytabm, config and
> whatnot to use. I would have thought that could all be obtained from the
> config file. Sorry about the ruckus, though a little bit more
> documentation on that part wouldn't hurt I believe.
> 
> 
> Regards,
> Christian Manal

That would make me nervous that it wasn't actually reading/interpreting the config file[s].

Do you have a separate kdc.conf file?  I seem to avoid those issues by sticking to a very old-fashoned
division of settings between krb5.conf and kdc.conf.  Specifically, I put the [kdc] section in
/var/heimdal/kdc.conf, everything else in /etc/krb5.conf, and I use the command line option to point at
the kdc.conf file.

More specifically, I use --config-file= everywhere, and --detach where it's supported.  I use --keytab=
on ipropd-{master,slave}.  No other options.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

Re: Compatibility issues with MIT and Heimdal ?

> I still have the problem with Heimdal 1.3.1 against a MIT 1.6.3 kdc. I now have done the following test:

Have you tried 1.3.2rc2? 

(Hm, will there be a 1.3.2rc3 soon? I'd like an rc3 before release)

Have you 

[libdefaults]
        allow_weak_crypto = yes

if you want DES?

Harald.