To anyone suffering from this bug.
Please try: "-k FILE:/etc/krb5.keytab"
Which should also work[1], however, obviously, requires the key be exported
first.
Please let me know if that helps.
My current understanding of the details:
The default value of -k is "HDB:".
Heimdal retrieves the keytab with hdb_get_entry(). As the dbname is not
given (dbname should appear to right of "HDB:"), the would recurse through
the list of known databases (find_db) until a match is found. On a default
Debian configuration this is:
# ./lib/hdb/test_dbinfo
label: default
realm: no realm
dbname: /var/lib/heimdal-kdc/heimdal
mkey_file: /var/lib/heimdal-kdc/m-key
acl_file: /var/lib/heimdal-kdc/kadmind.acl
The value of dbname is used.
However before this happens, krb5_init_creds_set_keytab() is called first.
Since change 118f99e3083144523965f3afea7bdb089253da5e,
krb5_init_creds_set_keytab() checks the result of the call
to krb5_kt_start_seq_get(). Before if this failed, it didn't matter. Now it
does. This function call ends up at hdb_start_seq_get(). Unfortunately this
function does not like the fact it was not given a specific database to
work on, and fails:
if (dbname == NULL) {
/*
* We don't support enumerating without being told what
* backend to enumerate on
*/
ret = KRB5_KT_NOTFOUND;
return ret;
}
This failure is propagated back up to krb5_init_creds_set_keytab(), which
calls _krb5_kt_principal_not_found(), which sets the error. This in turn
get propagated back to hprop.c, get_creds() which prints the error:
hprop: krb5_get_init_creds: Failed to find kadmin/[email protected] in
keytab HDB: (unknown enctype)
Thanks
Notes:
[1] From my reading of the code, the following should work too:
"-k HDB:/var/lib/heimdal-kdc/heimdal:mkey=/var/lib/heimdal-kdc/m-key"
However, appears to be buggy. I get:
$7 = {dbname = 0x608e70 "/var/lib/heimdal-kdc/heimdal", mkey = 0x608ea0
"=/var/lib/heimdal-kdc/m-key"}
strace shows:
open("=/var/lib/heimdal-kdc/m-key", O_RDONLY) = -1 ENOENT (No such file or
directory)
i.e. when hdb_resolve() parses the string it fails to skip over the = sign.
[2] As far as I can tell all the bugs presented in this email exist in the
latest master version of Heimdal.
--
Brian May <[email protected]>
