[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal 0.2g issues (might these be fixed in later releases?)
"Brandon S. Allbery KF8NH" <firstname.lastname@example.org> writes:
> We just went live with heimdal replacing our kaservers today.
> 1. The heimdal KDC doesn't react to expired tickets via krb4. That is, it
> completely ignores any Kerberos 4 requests which involve expired tickets,
> instead of returning an error code and/or logging an error. This results in
> telnet/rlogin/ssh/etc. with expired tickets hanging.
When I read the code and try it, it works, and that code hasn't
changed in some time so it should work in 02.g too. I assume you mean
an APPL_REQUEST? Here is what I see:
02:08:57.644019 datan.1345 > kdc.kerberos-iv: v4 be APPL_REQUEST: v4 NADA.KTH.SE (56) (32)
02:08:57.655774 kdc.kerberos-iv > datan.1345: v4 be ERR_REPLY: .@ OK Ticket expire [|kerberos]
> 2. klog works, but krb4 tickets generated with klog.krb don't work. Since
> #1 applies, I don't get any error messages from either the KDC or the
> client. klist doesn't show anything wrong with the tickets.
> 3. heimdal's kadmind used to support krb4 kpasswd; now it gets "Broken pipe"
> (and again, no error message on the server side). (hmm, core file:
I think that has been fixed.
> 4. ssh with the AFS+krb4 modifications forwards tickets and tokens. With
> the heimdal KDC, token forwarding succeeds but forwarded tickets elicit
> "Incorrect network address" from the KDC when used (hey, at least this time
> we *get* an error message :) . Setting check-ticket-addresses = false in
> kdc.conf doesn't change this. While it's not urgent, it would be nice if
> this worked because otherwise you end up with no tickets on the remote if
Ah, check-ticket-addresses is only used in the v5 part of the KDC.
Can you try the appended patch?
> Are #1, #2, and #3 fixed in later versions of heimdal, or should I be
> digging at the code?
I think we need to figure out why #1 is happening to you, then what's
causing #2, and if you could try later code for #3.
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/kdc/kerberos4.c,v
retrieving revision 1.25
diff -u -w -u -w -r1.25 kerberos4.c
--- kerberos4.c 2000/01/12 09:27:50 1.25
+++ kerberos4.c 2000/02/02 01:20:06
@@ -328,6 +328,9 @@
memcpy(&auth.dat, buf, pos);
auth.length = pos;
+ krb_ignore_ip_address = !check_ticket_addresses;
ret = krb_rd_req(&auth, "krbtgt", realm,
addr->sin_addr.s_addr, &ad, 0);