[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Propagating MIT-Kerberos Database to Heimdal KDC


Johan Danielsson schrieb:
> > However if I try to list the imported principals with "list *" in
> > the kadmin program, I get "Decrypt integrity check failed" for every
> > principal.
> Is is in remote mode (not kadmin -l)?

Nope, it's kadmin -l. I didn't bother to create /admin roles,
administration of the database is rarely necessary and is always done
locally as root. Unfortunately with MIT Kerberos I still have to run
kadmind to enable users to change their passwords.

> Sounds like some problem with the mkey. Which enctype do you use? The
> first two bytes of the mkey-file is the enctype, next are four length
> bytes, and finally the key data. Does that look like what you have?
Well, according to kadmin.local on the MIT KDC, the key of the K/M
principal is:
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt

od -h says the first 6 bytes are:

0010 0018 0000

The length of 24 (0x18) bytes (after the length bytes) is correct.

However, if I create /var/heimdal/m-key on the heimdal host with
kstash, the first six bytes are:

0205 0000 4800

There is most obviously an endianness problem here, although both
machines are x86. I wonder if using an hex editor to correct the
length would fix the problem, or is the endianness in the data
different as well?

The number 0x48 (72) in little endian is also the correct length of
the m-key.


Another point strikes me: I've read somewhere that it's possible to
use the MIT-Kerberos Master-Key unchanged. However the principal for
the Master-Key is called "default" in heimdal and "K/M" in MIT

After I import the dump, the "default" principal is gone, instead
there is the "K/M" Principal from the MIT KDC.

Will the resulting heimdal database still be usable?

Is there any place I can find detailed documentation on the subject?

Kind regards
Friedrich Delgado Friedrichs   |               mailto: fd@dfn-cert.de
DFN-CERT GmbH                  |              pgp-key: 0x94A6047F
Heidenkampsweg 41              |                Phone: +49(40)808077-555
D-20097 Hamburg                |                  FAX: +49(40)808077-556
Germany                        |

PGP signature