Hi again Greg,
Please forget my last email. I already found the files that wwwrun should be
able to run. I will create a special group for reading the files inside
/var/lib/kerberos/krb5kdc/
Now wwwrun acquires correctly the ticket.
Thank you so much.
Kind Regards.
Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com
-Mensaje original-
De: Dario García Díaz-Miguel
Enviado el: viernes, 14 de agosto de 2020 9:12
Para: Greg Hudson ; kerberos@mit.edu
Asunto: RE: cpw ignoring password policies
Hi Greg,
Thank you so much for your Support and quick replies, really appreciated.
> That's true. The kadmin server code deliberately only checks the minimum
> life if a principal is changing its own password.
Indeed. It makes sense.
> Right, LDAP password history is implemented in release 1.15 but not in 1.12.
I will discuss this point with the project leaders to see if we can upgrade the
krb5 version since this is a requirement as well as some supported features in
further version such as spake preauth or aes256.
> I guess you could print a kadmin ticket for the user from the KDB and then
> authenticate with it:
>
> kinit -k -c somefilename -t KDB: -S kadmin/admin username kadmin -c
> somefilename -q "cpw -pw password username"
> kinit -t KDB: support was added in release 1.9, so should be available.
Perfect. This seems to work for me when running the commands as root user. It
checks the minimum password life and rejects the change.
But, since the user who ran the script files is wwwrun, I'm getting the
following message:
$/usr/lib/mit/bin/kinit -k -c /home/wwwrun/arashimkrbcc -t KDB: -S kadmin/admin
arashim
kinit: No such file or directory while setting up KDB keytab for realm TEST.COM
I've tried with several users and path locations for the cache credentials file
but not succedeed. Using sudo before command works flawlessly.
What files or directories this command checks other than the cache credentials
created, requiring to grant some permissions to the user who is running it?
According to kinit man, the "KDB:" option looks directly inside the Kerberos
Database. So, this should be a permissions issue to access to the Kerberos
Database. But honestly, I don't know what files and which should I grant to
read to wwwrun to make this work avoiding to hardcode the root password in
plain text. I'm not being able to track it on logs either.
Since we built the Kerberos Database on OpenLDAP krbContainer, what file is the
one which non-root user should be able to read in order to make this work?
Another option regarding with the idea you sent me could be create a keytab
owned by wwwrun to store all users keys and use. However I would prefer to ask
the ticket looking directly into the KDB instead of using another keytab for
all users. It could be a headache to maintain and totally a bad practice.
Again, thank you so much for your help.
Kind Regards.
Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com
-Mensaje original-
De: Greg Hudson [mailto:ghud...@mit.edu] Enviado el: jueves, 13 de agosto de
2020 17:36
Para: Dario García Díaz-Miguel ; kerberos@mit.edu
Asunto: Re: cpw ignoring password policies
On 8/13/20 1:51 AM, Dario García Díaz-Miguel wrote:
> I can change all the time the password of the principal with that policy
> applied despite the minimum password life described.
That's true. The kadmin server code deliberately only checks the minimum life
if a principal is changing its own password.
> Also I'm able to apply old passwords and the history is not being respected,
> but I'm afraid that's the expected behavior because of the LDAP database
> module.
Right, LDAP password history is implemented in release 1.15 but not in 1.12.
> I understand that cpw is more like the administration password changing tool
> and in order to be able to change the password whenever it requires by the
> system administrator, the minimum password life is not being applied.
> But then, Any ideas about how could we proceed?
I guess you could print a kadmin ticket for the user from the KDB and then
authenticate with it:
kinit -k -c somefilename -t KDB: -S kadmin/admin username
kadmin -c somefilename -q "cpw -pw password username"
kinit -t KDB: support was added in release 1.9, so should be available.
P Please consider the environment before printing this e-mail.
P Please consider the environment before printing this e-mail.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos