[OpenAFS-devel] Bug using krb5-1.2.2 kinit and aklog to get keytab AFS credentials
Jim Doyle
doyle@theworld.com
Sat, 10 Nov 2001 10:15:07 -0500
Now that I have aklog working, I discovered another bug in the Kerberos
5 kinit tool when authenticating from a keytab rather than using a
cleartext password. When kinit-ing from a keytab file, you will get a
vague error like this:
------------------------------------------------------------------------------
[root@prozac kinit]# ./kinit -k -t /etc/krb5.keytab wwwserver1
kinit(v5): Bad encryption type while getting initial credentials
------------------------------------------------------------------------------
The cause of the problem is that the krb5_get_init_creds_keytab() library
ftn needs a vector of supported enctypes to be initialized.. When you
apply the patch at the bottom, things will work just dandy.
Things then work as needed ; I'm using this to create persistent AFS
authentication contexts for various server process...
------------------------------------------------------------------------------
[root@prozac kinit]# ./kinit -k -t /etc/krb5.keytab wwwserver1
[root@prozac kinit]# aklog
[root@prozac kinit]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 10004) tokens for afs@example.com [Expires Nov 10 21:10]
--End of list--
[root@prozac kinit]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: wwwserver1@EXAMPLE.COM
Valid starting Expires Service principal
11/10/01 11:10:54 11/10/01 21:10:54 krbtgt/EXAMPLE.COM@EXAMPLE.COM
11/10/01 11:10:55 11/10/01 21:10:54 afs@EXAMPLE.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@prozac kinit]#
-------------------------------------------------------------------------------
patch to krb5-1.2.2/src/clients/kinit/kinit.c
(from krb5-1.2.2-12.src.rpm):
==============================================================================
[root@prozac kinit]# diff kinit.c.orig kinit.c
93a94,95
> extern const struct krb5_keytypes krb5_enctypes_list[];
> extern const int krb5_enctypes_length;
728a731,732
> krb5_enctype supported_enctypes[] = { ENCTYPE_DES_CBC_CRC };
> unsigned int enctypes_length = sizeof(supported_enctypes);
735a740,749
>
> /*
> * set the list of desired enc types
> */
>
> krb5_get_init_creds_opt_set_etype_list(&options,
> supported_enctypes,
> enctypes_length);
>
>
776c790
<
---
>
785c799
< case INIT_KT:
---
> case INIT_KT: