[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should kadmin ask for password

To: Hai Zaar <haizaar@gmail.com>
Subject: Re: Should kadmin ask for password
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 4 Dec 2007 21:19:02 -0800
Cc: heimdal-discuss@sics.se
In-Reply-To: <cfb54190711200421i60f5a416j3db19661f86803c2@mail.gmail.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <cfb54190611161000s2bd18f24j529dcb4857e68d37@mail.gmail.com> <cfb54190611200148v6ffb7c8fm1b2cbf8728f209ec@mail.gmail.com> <cfb54190611230301v1ea9a8dar26ddcb7a437609b5@mail.gmail.com> <75C09B2B-F942-4053-94FF-736F9A11F7F8@kth.se> <cfb54190612060516k762c4559j477af92615f2c6c0@mail.gmail.com> <DF0F8EE9-1A23-4CDA-87A1-6E837B0E291B@kth.se> <cfb54190612061439p3c14dfcbpdd248880ce321d8a@mail.gmail.com> <0C11B58F-1E19-4A9C-BEAD-7B2CC9A2F44C@kth.se> <cfb54190702280501l3ad454c9n63935562ecc23b46@mail.gmail.com> <42FC943A-C73E-466D-8CB5-8E277034A16D@kth.se> <cfb54190711200421i60f5a416j3db19661f86803c2@mail.gmail.com>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>

Hello Hai,

Yes, I re-added the bug somewhere inbetween to fix another problem  
with the patch.

Can you check if 1.0.2-RC5 fixes your problem, I think it should.

Love



20 nov 2007 kl. 04.21 skrev Hai Zaar:

> It looks like the bug is back. In the nutshell.
>
> #> kinit haizaar
> haizaar@DOMAIN.COM password:
> #> kadmin -p haizaar list haizaar
> haizaar@DOMAIN.COM password:
> Love cooked a patch to alter kadmin behavior - if principal is
> specified explicitly, then use it and do not add /admin, etc.
> (http://www.mail-archive.com/heimdal-discuss@sics.se/msg00168.html)
> It looks like the patch was merged upstream.
>
> Although now I'm migrating from 0.7.2 to heimdal-1.0.1 and the problem
> popped out again.
>
> Here is the thead
>
>
> On Apr 21, 2007 10:17 PM, Love Hörnquist Åstrand <lha@kth.se> wrote:
>> Hello Hai,
>>
>> Check old marked email., Did I manged to include the delta in the
>> heimdal 0.8(.1) release ?
>>
>> Love
>>
>>
>> 28 feb 2007 kl. 14.01 skrev Hai Zaar:
>>
>>
>>> Hi, Love!
>>> Sorry for late reply.
>>>
>>> On 12/7/06, Love Hörnquist Åstrand <lha@kth.se> wrote:
>>>> 6 dec 2006 kl. 23.39 skrev Hai Zaar:
>>>>
>>>>> since I do not have kadmin/admin credential in cache.
>>>>
>>>> it will ask you for you password since the principal in the  
>>>> credental
>>>> cache
>>>> doesn't match what it think its the default (your principal with /
>>>> admin added).
>>>>
>>>> If you specify the principal with -p it should work just fine.
>>> But after 2 month in production, I can confirm that your patch works
>>> just fine. Thanks again!
>>> It will be great to have it included in upcoming heimdal-0.8.
>>>
>>>
>>>>
>>>> $ kinit
>>>> lha@SU.SE's Password:
>>>> $ klist
>>>> Credentials cache: FILE:krb5cc_501
>>>>         Principal: lha@SU.SE
>>>>
>>>>   Issued           Expires          Principal
>>>> Dec  7 00:04:57  Dec  7 10:06:00  krbtgt/SU.SE@SU.SE
>>>> Dec  7 00:04:58  Dec  7 10:06:00  afs@SU.SE
>>>>
>>>> $ kadmin -p lha
>>>> kadmin> get lha
>>>>             Principal: lha@SU.SE
>>>> [...]
>>>> kadmin> ext -k /tmp/kaka host/nutcracker.it.su.se
>>>> kadmin> exit
>>>> $ klist
>>>> Credentials cache: FILE:krb5cc_501
>>>>         Principal: lha@SU.SE
>>>>
>>>>   Issued           Expires          Principal
>>>> Dec  7 00:04:57  Dec  7 10:06:00  krbtgt/SU.SE@SU.SE
>>>> Dec  7 00:04:58  Dec  7 10:06:00  afs@SU.SE
>>>> Dec  7 00:05:07  Dec  7 01:05:07  kadmin/admin@SU.SE
>>>> $ kinit -t FILE:/tmp/kaka host/nutcracker.it.su.se@SU.SE
>>>> $ klist
>>>> Credentials cache: FILE:krb5cc_501
>>>>         Principal: host/nutcracker.it.su.se@SU.SE
>>>>
>>>>   Issued           Expires          Principal
>>>> Dec  7 00:11:33  Dec  7 10:12:36  krbtgt/SU.SE@SU.SE
>>>> Dec  7 00:11:34  Dec  7 10:12:36  afs@SU.SE
>>>>
>>>>
>>>>
>>>> with this in the acl file:
>>>>
>>>> $ grep ^lha@ /var/heimdal/kadmind.acl
>>>> lha@SU.SE               get                     lha@SU.SE
>>>> lha@SU.SE               add,get,modify,cpw,del  host/
>>>> nutcracker.it.su.se
>>>>
>>>>
>>>> Love
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Zaar
>>
>>
>
>
>
> -- 
> Zaar

Follow-Ups:
- Re: Should kadmin ask for password
  - From: "Hai Zaar" <haizaar@gmail.com>

Prev by Date: Re: krb5_get_error_string() is not indempotent
Next by Date: Re: Difference in handling SPNEGO tokens between heimdal 0.7.2 , 0.8.1 and 1.0.1
Prev by thread: heimdal 1.0.2RC5
Next by thread: Re: Should kadmin ask for password
Index(es):
- Date
- Thread