Anthony, the workaround I have is to use different ports for two kadmind processes
krb5.conf [realms] SUSE.HOME = { kdc = opensuse.suse.home admin_server = opensuse.suse.home } TEST.HOME = { kdc = opensuse.suse.home kpasswd_server = opensuse.suse.home:10464 admin_server = opensuse.suse.home:10749 } kdc.conf ( I use two database files) [realms] SUSE.HOME = { database_name = /var/lib/kerberos/krb5kdc/principal admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl key_stash_file = /var/lib/kerberos/krb5kdc/.k5.SUSE.HOME kdc_ports = 750,88 supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal kdc_supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } TEST.HOME = { database_name = /var/lib/kerberos/krb5kdc/principal.test admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab.test acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl.test key_stash_file = /var/lib/kerberos/krb5kdc/.k5.TEST.HOME kdc_ports = 750,88 kpasswd_port = 10464 kadmind_port = 10749 supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal kdc_supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } and start kadmind -r SUSE.HOME and kadmind -r TEST.HOME and krb5kdc -r SUSE.HOME -r TEST.HOME Regards Markus "Anthony Brock" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Markus, > > I don't know. > > That is why I asked earlier if it was safe to use multiple kadmind daemons > against the same database. If it is safe, then I can launch multiple > processes (one for each realm). However, it if isn't safe, I'm assuming > that > there is a way to separate the realm into different databases and launch > each daemon against a different database. Assuming separating the realms > into different databases would be safe, how do you do it? Also, I'll need > to > figure out how to organize and track the different kadmind port numbers > for > each realm (ensure I don't clobber anything when we add a new > domain/realm). > > In reality this is a hack to work-around the issue. I'm willing to do it > provided the work-around isn't going to corrupt anything. However, the > best > solution would be a fix to the kadmind code (there are times I REALLY wish > I > was a programmer...). > > So, does anyone know: > > 1. The likelihood of a solution being developed and rolled into the > production code? > 2. How to safely work-around the issue? > > BTW, thanks for verifying the behavior! One of my biggest concerns was if > I > had missed a configuration step. > > Tony > > ----- Original Message ----- > From: "Markus Moeller" <[EMAIL PROTECTED]> > Newsgroups: comp.protocols.kerberos > To: <kerberos@mit.edu> > Sent: Tuesday, September 25, 2007 2:05 PM > Subject: Re: Problems with kadmind, kpasswd and cross-realm authentication > >>I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6 >>installed. Depending how I start kadmind (with -r REALM1 or -r REALM2) I >>can change the password for a REALM1 or a REALM2 user respectively. My man >>pages say: >> >> -r realm specifies the default realm that kadmind will serve; if it is >> not specified, the default realm of >> the host is used. kadmind will answer requests for any >> realm that exists in the local KDC >> database and for which the appropriate principals are in its >> keytab. >> >> If I don't provide the -r option the default realm of the host ( is this >> the kdc ?) is used, so it sounds kadmind can not answer for all realms >> despite the second sentence. >> >> Why can't kadmind be use like krb5kdc with -r REALM1 and -r REALM2 ? >> >> Markus >> >> >> "Anthony Brock" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >>> I'm running version 1.6 on a Debian lenny box. The actual Debian >>> packages >>> are: >>> >>> ii krb5-admin-server 1.6.dfsg.1-7 MIT Kerberos >>> master >>> server (kadmind) >>> ii krb5-kdc 1.6.dfsg.1-7 MIT Kerberos >>> key >>> server (KDC) >>> >>> Tony >>> >>> >>>> -----Original Message----- >>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >>>> Behalf Of Markus Moeller >>>> Sent: Monday, September 24, 2007 4:15 PM >>>> To: kerberos@mit.edu >>>> Subject: Re: Problems with kadmind, kpasswd and cross-realm >>>> authentication >>>> >>>> >>>> That looks to me like a bug in the kdc code. Which release do you use ? >>>> >>>> Markus >>>> >>>> "Anthony Brock" <[EMAIL PROTECTED]> wrote in message >>>> news:[EMAIL PROTECTED] >>>> > Unfortunately I'm not necessarily familiar enough to know if I'm >>>> > seeing >>>> > the >>>> > "correct" tickets. I am seeing 6 packets with the first 4 are >>>> > directed >>>> > to/from port 88 and the last 2 directed to/from 464: >>>> > >>>> > PKT 1: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, >>>> > Server >>>> > Name >>>> > (Principal): kadmin/changepw, KRB5 AS-REQ >>>> > PKT 2: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, >>>> > Server >>>> > Name >>>> > (Principal): kadmin/changepw, KRB5 KRB Error: >>>> KRB5KDC_ERR_PREAUTH_REQUIRED >>>> > PKT 3: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, >>>> > Server >>>> > Name >>>> > (Principal): kadmin/changepw, KRB5 AS-REQ >>>> > PKT 4: Client Name (Principal): brocka, Realm: STERLINGCGI.COM, >>>> > Server >>>> > Name >>>> > (Principal): kadmin/changepw, KRB5 AS-REP >>>> > >>>> > Then I see: >>>> > >>>> > PKT 5: Tkt-vno: 5, Realm: STERLINGCGI.COM, Server Name (Principal): >>>> > kadmin/changepw, KPASSWD Reply >>>> > PKT 6: KPASSWD Reply[Malformed Packet] >>>> > >>>> > It's interesting to note that I can see in the "text" field of >>>> wireshark >>>> > for >>>> > the "[Malformed Packet: Kpasswd]" the words "SCGROUP.ORG", "kadmin", >>>> > "changepw" and "Failed reading application request". However, >>>> > obviously, >>>> > wireshark didn't seem to understand the contents of the packet. >>>> Other than >>>> > this anomaly, the REALM looks good to me. >>>> > >>>> > I'm also attaching a "text" export of the packet capture from >>>> > wireshark. >>>> > >>>> > Tony >>>> > >>>> > >>>> >> -----Original Message----- >>>> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >>>> >> Behalf Of Markus Moeller >>>> >> Sent: Monday, September 24, 2007 1:39 PM >>>> >> To: kerberos@mit.edu >>>> >> Subject: Re: Problems with kadmind, kpasswd and cross-realm >>>> >> authentication >>>> >> >>>> >> >>>> >> What do you see when you capture the traffic with wireshark on >>>> >> port 88 and >>>> >> 464 ? Do you see the correct kadmin/[EMAIL PROTECTED] tickets ? >>>> >> >>>> >> Markus >>>> >> >>>> >> "Anthony Brock" <[EMAIL PROTECTED]> wrote in message >>>> >> news:[EMAIL PROTECTED] >>>> >> >> -----Original Message----- >>>> >> >> Any ideas? >>>> >> >> >>>> >> >> The man page states that kadmind should be able to change >>>> >> >> passwords for any >>>> >> >> realms that have an associated kadmin/changepw@<REALM> and >>>> >> >> kadmin/admin@<REALM> principal. Is this still true? Or has >>>> >> >> support for this >>>> >> >> functionality been dropped? If not, what debugging can be >>>> performed to >>>> >> >> identify the cause of the issue? >>>> >> >> >>>> >> >> Ideas? >>>> >> >> >>>> >> >> Tony >>>> >> > >>>> >> > Given that it's been 3 weeks and nobody has any suggestions >>>> for further >>>> >> > troubleshooting or identifying the issue, should this be >>>> submitted as a >>>> >> > bug >>>> >> > in kadmind? If so, how do I submit it? Is there a documented >>>> >> > process >>>> >> > for >>>> >> > this? >>>> >> > >>>> >> > Also, are there any suggested workarounds? I've seen references >>>> >> from 2004 >>>> >> > to >>>> >> > people running a separate kadmind daemon for each realm >>>> using different >>>> >> > port >>>> >> > numbers. Is this safe against a single db? If not, how do >>>> you migrate a >>>> >> > realm out of the default db into a separate db files? >>>> >> > >>>> >> > Thanks! >>>> >> > >>>> >> > Tony >>>> >> > >>>> >> >>>> >> >>>> >> ________________________________________________ >>>> >> Kerberos mailing list Kerberos@mit.edu >>>> >> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >> >>>> > >>>> >>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos@mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>> >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos