[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
More kpasswd woes.
Ok, the situation is that passwords convert from the kaserver
correctly and show as:
Keytypes(salttype[(salt-value)]):
des-cbc-md5(afs3-salt(jpl.nasa.gov)),
des-cbc-md4(afs3-salt(jpl.nasa.gov)),
des-cbc-crc(afs3-salt(jpl.nasa.gov))
The Solaris SEAM kpasswd command and the Heimdal kpasswd seem to
work. They change the password without error, but the resulting keys
are like this:
Keytypes(salttype[(salt-value)]): des3-cbc-sha1(pw-salt),
des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt)
which works fine with kinit, but not with good old AFS klog.
Now if I go in and change the password with kadmin I get a different result:
Keytypes(salttype[(salt-value)]): des3-cbc-sha1(pw-salt),
des-cbc-md5(pw-salt()), des-cbc-md4(pw-salt()), des-cbc-crc(pw-salt())
This is still different, but at least it works with legacy klog.
Looking at the config file the default_keys entry is in the [kadmin]
section. That means that kpasswdd ignores it? How can I make
kpasswd obey what I've told kadmin?
(The remaining problem I was having before was that Heimdal kpasswd
(and probably MIT as well) looks for an _kpasswd DNS entry before
they default to the admin_server config file entry. We have an
actual Windows Domain here which is (so far) unrelated to the
AFS/Kerberos REALM.)
----------------
# krb5.conf
[libdefaults]
default_realm = JPL.NASA.GOV
v4_instance_resolve = false
v4_name_convert = {
host = {
ftp = ftp
hprop = hprop
imap = imap
pop = pop
rcmd = host
smtp = smtp
postgres = postgres
oracle = oracle
nfs = nfs
ldap = ldap
cifs = cifs
HTTP = HTTP
xmpp = xmpp
nntp = nntp
cvs = cvs
pbs = pbs
lsf = lsf
kca_service = kca_service
rootd = rootd
darkstar = darkstar
afpserver = afpserver
}
plain = {
krbtgt = krbtgt
afs = afs
}
}
[realms]
JPL.NASA.GOV = {
kdc = afstest01.jpl.nasa.gov
kpasswd_server = afstest01.jpl.nasa.gov
admin_server = afstest01.jpl.nasa.gov
v4_instance_convert = {
cdsa = dcs04.jpl.nasa.gov
eisws21 = eisws21.jpl.nasa.gov
caesun1 = caesun1.jpl.nasa.gov
afspt07 = afspt07.jpl.nasa.gov
}
}
HOTZ.JPL.NASA.GOV = {
kdc = machotz.jpl.nasa.gov
admin_server = machotz.jpl.nasa.gov
}
[domain_realm]
.jpl.nasa.gov = JPL.NASA.GOV
jpl.nasa.gov = JPL.NASA.GOV
machotz.jpl.nasa.gov = HOTZ.JPL.NASA.GOV
[logging]
default = FILE:/var/heimdal/kdc.log
kdc = FILE:/var/heimdal/kdc.log
kpasswd = FILE:/var/krb5/kpasswd.log
[appdefaults]
kinit = {
renew_lifetime = 1 week
forwardable= true
proxiable = true
}
[kadmin]
default_keys = des3:pw-salt v4
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu