[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Propagating MIT-Kerberos Database to Heimdal KDC

To: Heimdal Discussion List <heimdal-discuss@sics.se>
Subject: Re: Propagating MIT-Kerberos Database to Heimdal KDC
From: Friedrich Delgado Friedrichs <delgado@cert.dfn.de>
Date: Wed, 22 Oct 2003 13:39:58 +0200
In-Reply-To: <xofd6cqef7o.fsf@blubb.pdc.kth.se>
Mail-Followup-To: Heimdal Discussion List <heimdal-discuss@sics.se>
References: <20031021132510.GA2857@titan.cert.dfn.de> <xofd6cqef7o.fsf@blubb.pdc.kth.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.3.27i

Hi!

Johan Danielsson schrieb:
> > However if I try to list the imported principals with "list *" in
> > the kadmin program, I get "Decrypt integrity check failed" for every
> > principal.
> Is is in remote mode (not kadmin -l)?

Nope, it's kadmin -l. I didn't bother to create /admin roles,
administration of the database is rarely necessary and is always done
locally as root. Unfortunately with MIT Kerberos I still have to run
kadmind to enable users to change their passwords.

> Sounds like some problem with the mkey. Which enctype do you use? The
> first two bytes of the mkey-file is the enctype, next are four length
> bytes, and finally the key data. Does that look like what you have?
Well, according to kadmin.local on the MIT KDC, the key of the K/M
principal is:
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: DISALLOW_ALL_TIX

od -h says the first 6 bytes are:

0010 0018 0000

The length of 24 (0x18) bytes (after the length bytes) is correct.

However, if I create /var/heimdal/m-key on the heimdal host with
kstash, the first six bytes are:

0205 0000 4800

There is most obviously an endianness problem here, although both
machines are x86. I wonder if using an hex editor to correct the
length would fix the problem, or is the endianness in the data
different as well?

The number 0x48 (72) in little endian is also the correct length of
the m-key.

--------------------

Another point strikes me: I've read somewhere that it's possible to
use the MIT-Kerberos Master-Key unchanged. However the principal for
the Master-Key is called "default" in heimdal and "K/M" in MIT
Kerberos.

After I import the dump, the "default" principal is gone, instead
there is the "K/M" Principal from the MIT KDC.

Will the resulting heimdal database still be usable?

Is there any place I can find detailed documentation on the subject?

Kind regards
     FDF
-- 
Friedrich Delgado Friedrichs   |               mailto: fd@dfn-cert.de
DFN-CERT GmbH                  |              pgp-key: 0x94A6047F
Heidenkampsweg 41              |                Phone: +49(40)808077-555
D-20097 Hamburg                |                  FAX: +49(40)808077-556
Germany                        |

PGP signature

Follow-Ups:
- Re: Propagating MIT-Kerberos Database to Heimdal KDC
  - From: joda@pdc.kth.se (Johan Danielsson)

References:
- Propagating MIT-Kerberos Database to Heimdal KDC
  - From: delgado@cert.dfn.de
- Re: Propagating MIT-Kerberos Database to Heimdal KDC
  - From: joda@pdc.kth.se (Johan Danielsson)

Prev by Date: Re: Propagating MIT-Kerberos Database to Heimdal KDC
Next by Date: Re: Propagating MIT-Kerberos Database to Heimdal KDC
Prev by thread: Re: Propagating MIT-Kerberos Database to Heimdal KDC
Next by thread: Re: Propagating MIT-Kerberos Database to Heimdal KDC
Index(es):
- Date
- Thread