[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More kpasswd woes.

Ok, the situation is that passwords convert from the kaserver 
correctly and show as:


The Solaris SEAM kpasswd command and the Heimdal kpasswd seem to 
work.  They change the password without error, but the resulting keys 
are like this:

Keytypes(salttype[(salt-value)]): des3-cbc-sha1(pw-salt), 
des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt)

which works fine with kinit, but not with good old AFS klog.

Now if I go in and change the password with kadmin I get a different result:

Keytypes(salttype[(salt-value)]): des3-cbc-sha1(pw-salt), 
des-cbc-md5(pw-salt()), des-cbc-md4(pw-salt()), des-cbc-crc(pw-salt())

This is still different, but at least it works with legacy klog.

Looking at the config file the default_keys entry is in the [kadmin] 
section.  That means that kpasswdd ignores it?  How can I make 
kpasswd obey what I've told kadmin?

(The remaining problem I was having before was that Heimdal kpasswd 
(and probably MIT as well) looks for an _kpasswd DNS entry before 
they default to the admin_server config file entry.  We have an 
actual Windows Domain here which is (so far) unrelated to the 
AFS/Kerberos REALM.)

# krb5.conf

         default_realm = JPL.NASA.GOV
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         ftp = ftp
                         hprop = hprop
                         imap = imap
                         pop = pop
                         rcmd = host
                         smtp = smtp
                         postgres = postgres
                         oracle = oracle
                         nfs = nfs
                         ldap = ldap
                         cifs = cifs
                         HTTP = HTTP
                         xmpp = xmpp
                         nntp = nntp
                         cvs = cvs
                         pbs = pbs
                         lsf = lsf
                         kca_service = kca_service
                         rootd = rootd
                         darkstar = darkstar
                         afpserver = afpserver

                 plain  = {
                         krbtgt = krbtgt
                         afs = afs

         JPL.NASA.GOV = {
                 kdc = afstest01.jpl.nasa.gov
		kpasswd_server = afstest01.jpl.nasa.gov
                 admin_server = afstest01.jpl.nasa.gov
                 v4_instance_convert = {
                         cdsa = dcs04.jpl.nasa.gov
                         eisws21 = eisws21.jpl.nasa.gov
                         caesun1 = caesun1.jpl.nasa.gov
                         afspt07 = afspt07.jpl.nasa.gov
         HOTZ.JPL.NASA.GOV = {
                 kdc = machotz.jpl.nasa.gov
                 admin_server = machotz.jpl.nasa.gov

         .jpl.nasa.gov = JPL.NASA.GOV
         jpl.nasa.gov  = JPL.NASA.GOV
         machotz.jpl.nasa.gov = HOTZ.JPL.NASA.GOV

         default = FILE:/var/heimdal/kdc.log
         kdc = FILE:/var/heimdal/kdc.log
         kpasswd = FILE:/var/krb5/kpasswd.log

         kinit = {
                 renew_lifetime = 1 week
                 forwardable= true
                 proxiable = true
         default_keys = des3:pw-salt v4
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu