Subject: bin/10878: Kerberos passwd problems with 1.5E
To: None <gnats-bugs@gnats.netbsd.org>
From: None <fvdl@netbsd.org>
List: netbsd-bugs
Date: 08/22/2000 07:30:14
>Number: 10878
>Category: bin
>Synopsis: Kerberos passwd problems with 1.5E
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Aug 22 07:31:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Frank van der Linden
>Release: 1.5E as of august 21st, 2000, and 1.5_ALPHA2 of the same date
>Organization:
The Multi-headed Dog Appreciation Association.
>Environment:
System: NetBSD frank 1.5E NetBSD 1.5E (FRANK) #11: Sat Aug 19 19:58:02 MEST 2000 fvdl@sushi:/work/trees/nfs/sys/arch/i386/compile/FRANK i386
>Description:
-current Heimdal doesn't seem to play nice with regard to kpasswdd.
The kpasswd client fails in different ways.
First of all, there is a bug in roken_getaddrinfo_hostspec();
it doesn't use SOCK_DGRAM as the default socket type, causing
getaddrinfo() to fail if you just have "admin_server = blah"
in your config file. It does work if you explicitly use
"admin_server = udp/blah". It seems that this might be fixed
in -current because it uses roken_getaddrinfo_hostspec2(), which
takes a socket type as an extra argument. On the branch, this
causes kpasswd to always fail with "bad file descriptor" (see below).
Secondly, roken_getaddrinfo_hostspec() (and its newer version in
-current) return the return value from getaddrinfo(). However,
these error codes are different from plain errnos and krb5
error codes, so they get interpreted the wrong way. For example
"service not found for socket type" becomes "bad file descriptor".
When running a -current kpasswdd on an otherwise 1.5_ALPHA system
(statically linked to avoid using the wrong libraries), clients
will have kpasswd exit with
passwd: krb5_change_password: Message out of order
However, the password does appear to have been successfully changed.
-current clients fail against an 1.5_ALPHA2 server with
passwd: failed to get credentials: ASN.1 value too large
..immediately after typing in the first password. The server log
shows "No PA-ENC-TIMESTAMP" messages.
>How-To-Repeat:
Try to change your Kerberos password with a mix of 1.5_ALPHA
and -current systems.
>Fix:
For the first problem, a simple
hints.ai_socktype = SOCK_DGRAM;
line at the start of roken_getaddrinfo_hostspec will suffice in
the code on the branch (to avoid pulling the rest up).
For the other problems: unknown.
>Release-Note:
>Audit-Trail:
>Unformatted: