To anyone suffering from this bug.

Please try: "-k FILE:/etc/krb5.keytab"

Which should also work[1], however, obviously, requires the key be exported
first.

Please let me know if that helps.


My current understanding of the details:

The default value of -k is "HDB:".

Heimdal retrieves the keytab with hdb_get_entry(). As the dbname is not
given (dbname should appear to right of "HDB:"), the would recurse through
the list of known databases (find_db) until a match is found. On a default
Debian configuration this is:

# ./lib/hdb/test_dbinfo
label: default
        realm: no realm
        dbname: /var/lib/heimdal-kdc/heimdal
        mkey_file: /var/lib/heimdal-kdc/m-key
        acl_file: /var/lib/heimdal-kdc/kadmind.acl

The value of dbname is used.

However before this happens, krb5_init_creds_set_keytab() is called first.

Since change 118f99e3083144523965f3afea7bdb089253da5e,
krb5_init_creds_set_keytab() checks the result of the call
to krb5_kt_start_seq_get(). Before if this failed, it didn't matter. Now it
does. This function call ends up at hdb_start_seq_get(). Unfortunately this
function does not like the fact it was not given a specific database to
work on, and fails:

    if (dbname == NULL) {
        /*
         * We don't support enumerating without being told what
         * backend to enumerate on
         */
        ret = KRB5_KT_NOTFOUND;
        return ret;
    }

This failure is propagated back up to krb5_init_creds_set_keytab(), which
calls _krb5_kt_principal_not_found(), which sets the error. This in turn
get propagated back to hprop.c, get_creds() which prints the error:

hprop: krb5_get_init_creds: Failed to find kadmin/[email protected] in
keytab HDB: (unknown enctype)

Thanks



Notes:

[1] From my reading of the code, the following should work too:

"-k HDB:/var/lib/heimdal-kdc/heimdal:mkey=/var/lib/heimdal-kdc/m-key"

However, appears to be buggy. I get:

$7 = {dbname = 0x608e70 "/var/lib/heimdal-kdc/heimdal", mkey = 0x608ea0
"=/var/lib/heimdal-kdc/m-key"}

strace shows:

open("=/var/lib/heimdal-kdc/m-key", O_RDONLY) = -1 ENOENT (No such file or
directory)

i.e. when hdb_resolve() parses the string it fails to skip over the = sign.


[2] As far as I can tell all the bugs presented in this email exist in the
latest master version of Heimdal.
-- 
Brian May <[email protected]>

Reply via email to