[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

Everything is configured via DNS on all hosts with the exception of
machines that are NAT'ed (in which case I add only
libdefaults/extra_addresses) and the kdc itself (which has many
different options, but no configs containing any realm names).

I can correctly pre-authenticate each password change attempt, but I'm
unable to get the password change to succeed from any realm other than
that of the realm for the kdc/kpasswdd.

I'm still getting up to speed on heimdal's innards, but, in
kpasswd/kpasswdd.c in the verify() function, through gdb(1) I can see
that verify() is trying to use the realm from the server and not the
realm from the ticket.

Breakpoint 1, verify (auth_context=0xbfbfe4a4, server=0x804e3b0, keytab=0x8053040, ticket=0xbfbfe4a0, out_data=0xbfbfe4a8, s=6,
    sa=0xbfbfea30, sa_size=16, msg=0xbfbfe530 "\002{", len=635) at kpasswdd.c:285
285         pkt_len = (msg[0] << 8) | (msg[1]);
(gdb) p auth_context
$1 = (krb5_auth_context *) 0xbfbfe4a4
(gdb) p *server
$2 = {name = {name_type = KRB5_NT_PRINCIPAL, name_string = {len = 2, val = 0x804e3d0}}, realm = 0x804e3c0 "SRVRREALM.COM"}

Is there any reason why it's not using the realm from the ticket,
instead of the realm for the server?  Does krb5_rd_req() handle the
magic necessary to make this work correctly in a non-obvious way?  Is
this a configuration problem?

Thanks in advance.  -sc

Sean Chittenden