On Fri, 2008-02-29 at 15:25 -0600, Will Fiveash wrote: > On Tue, Feb 26, 2008 at 06:50:59PM +0100, Mark Phalan wrote: > > > > Need a code review for the following: > > > > 6658621 Configuration checks for kerberos daemons should be done by the > > daemons themselves > > 6658631 error messages in kerberos deamons need cleanup > > 6664832 various memleaks in krb libs > > 6658627 kpropd should use its executable name and not the full path when > > logging error messages > > 6658624 Missing error strings for new kerberos DB error types > > > > The following related CRs will be closed once the above is putback: > > > > 6522924 Failure to start svc:/network/security/krb5kdc should be more > > verbose > > 6646459 'db_exists' and 'kadm5_acl_configed' tests broken in > > svc-kdc/svc-kdc.master > > 6623803 db_exists() in usr/src/cmd/svc/shell/krb_include.sh needs to be > > updated to deal with LDAP > > Mark, I know this is a late response so you don't have to deal with it > in this putback but don't you think, > *Change Request ID*: 6245750 > *Synopsis*: kadmin "Bad encryption type" error should state the enctype > should also be a part of it?
I think it could be, I took a look at this last night and came up with the following: Old behaviour: Mar 02 20:12:17 zup kadmind[2324](Notice): Request: kadm5_randkey_principal, t at ACME.COM, Bad encryption type, client=mark/admin at ACME.COM, service=kadmin at zup.czech.sun.com, addr= (10.4.193.194) soe-280r-4# kadmin -p mark/admin -q "ktadd -k /tmp/t t" Authenticating as principal mark/admin with password. Password for mark/admin at ACME.COM: kadmin: Bad encryption type while changing t's key New behaviour: Mar 02 21:00:38 zup kadmind[11939](Notice): Request: kadm5_randkey_principal, t at ACME.COM, Unknown encryption type: 18, client=mark/admin at ACME.COM, service=kadmin at zup.czech.sun.com, addr= (10.4.193.194) zup# ./kadmin -p mark/admin -q "ktadd -k /tmp/t p" Authenticating as principal mark/admin with password. Password for mark/admin at ACME.COM: kadmin: Bad encryption type while changing p's key kadmin: Encryption types requested: 18, 17, 16, 23, 3, 1 Unfortunately I don't think it would be trivial to have the client print out the encryption type that caused the server to reject the request. It would require that the server provide more information than the error code when failing. This sort of change would require a protocol change (I think). I've updated the webrev to include the above changes (see usr/src/cmd/krb5/kadmin/cli/keytab.c, usr/src/cmd/krb5/kadmin/server/server_stubs.c and usr/src/lib/gss_mechs/mech_krb5/crypto/make_random_key.c). -Mark
