[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heimdal 0.2g issues (might these be fixed in later releases?)

To: heimdal-discuss@sics.se
Subject: heimdal 0.2g issues (might these be fixed in later releases?)
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Date: Tue, 01 Feb 2000 19:12:39 -0500
Sender: owner-heimdal-discuss@sics.se

We just went live with heimdal replacing our kaservers today.  For the most 
part this has been a success, but there are a few weirdnesses:

1. The heimdal KDC doesn't react to expired tickets via krb4.  That is, it 
completely ignores any Kerberos 4 requests which involve expired tickets, 
instead of returning an error code and/or logging an error.  This results in 
telnet/rlogin/ssh/etc. with expired tickets hanging.

2. klog works, but krb4 tickets generated with klog.krb don't work.  Since 
#1 applies, I don't get any error messages from either the KDC or the 
client.  klist doesn't show anything wrong with the tickets.

3. heimdal's kadmind used to support krb4 kpasswd; now it gets "Broken pipe" 
(and again, no error message on the server side).  (hmm, core file:

#0  0xef764d08 in _kadm5_s_init_context (ctx=0xefffefb0, params=0x0, 
    context=0x8d408) at context_s.c:183
183         if(is_set(REALM))
(gdb) bt
#0  0xef764d08 in _kadm5_s_init_context (ctx=0xefffefb0, params=0x0, 
    context=0x8d408) at context_s.c:183
#1  0xef767128 in kadm5_s_init_with_context (context=0x8d408, 
    client_name=0x91f00 "allbery@ECE.CMU.EDU", 
    service_name=0x72c08 "kadmin/admin", realm_params=0x0, struct_version=0, 
    api_version=0, server_handle=0xeffff150) at init_s.c:50
#2  0xef76747c in kadm5_s_init_with_password_ctx (context=0x8d408, 
    client_name=0x91f00 "allbery@ECE.CMU.EDU", password=0x0, 
    service_name=0x72c08 "kadmin/admin", realm_params=0x0, struct_version=0, 
    api_version=0, server_handle=0xeffff150) at init_s.c:94
#3  0xef76bb90 in kadm5_init_with_password_ctx (context=0x8d408, 
    client_name=0x91f00 "allbery@ECE.CMU.EDU", password=0x0, 
    service_name=0x72c08 "kadmin/admin", realm_params=0x0, struct_version=0, 
    api_version=0, server_handle=0xeffff150) at server_glue.c:66
#4  0x1f99c in kadmind_loop ()
#5  0x1fe64 in handle_v4 ()
#6  0x1d578 in kadmind_loop ()
#7  0x1bef8 in main ()

4. ssh with the AFS+krb4 modifications forwards tickets and tokens.  With 
the heimdal KDC, token forwarding succeeds but forwarded tickets elicit 
"Incorrect network address" from the KDC when used (hey, at least this time 
we *get* an error message :) .  Setting check-ticket-addresses = false in 
kdc.conf doesn't change this.  While it's not urgent, it would be nice if 
this worked because otherwise you end up with no tickets on the remote if 
Kerberos-authenticated.

Are #1, #2, and #3 fixed in later versions of heimdal, or should I be 
digging at the code?

#4 isn't so critical, and I fear that it will require an understanding of 
kaserver's internals to get to work.  (hm, and that might apply to #2 as 
well.)  A quick attempt at a fix on my part (a new kdc option to replace the 
client address with 0.0.0.0 when creating a krb4 ticket) created garbage 
tickets which caused the kdc to log authentication failures, which didn't 
surprise me much as I'm still pretty new to Kerberos....

-- 
brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.

Follow-Ups:
- Re: heimdal 0.2g issues (might these be fixed in later releases?)
  - From: Assar Westerlund <assar@sics.se>

Prev by Date: Re: cvs gserver & heimdal
Next by Date: Re: heimdal 0.2g issues (might these be fixed in later releases?)
Prev by thread: Re: cvs gserver & heimdal
Next by thread: Re: heimdal 0.2g issues (might these be fixed in later releases?)
Index(es):
- Date
- Thread