[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Harald Barth haba@kth.se
Thu, 08 Aug 2013 09:05:05 +0200 (CEST)

> Because I'm doing lots of updates to 1.5.2 patched
> with the patch I posted, using kadmin from 1.6~git20120403+dfsg1-3, and
> having no trouble.

That's good. I will have to double check versions of everything. Maybe
I'm confused, maybe there is another patch at another place in there,
that prevents the failure to happen.

> What type of update? 

What I understand from the reports I got, some verson of kadmin
sets something called "policy" after setting "attributes". The
policy is set to "default" whatever that means.

kadmin> mod haba
Attributes [requires-pre-auth, disallow-postdated]: <ENTER>
Policy [default]: <ENTER>

On Ubuntu 13.04:
This is kadmin 1.5.99 (as it calls itself :-() or
1.6~git20120403+dfsg1-2 as the package version is called.

If you have the bug:

This policy change to default for the principal is then propagated
through iprop from the master to the slave. The recieving end then
calls abort() on the unknown content in the iprop modify. It does
not fail if you use hprop.

So the test for the bug is to set up a system with master and slave
and then issue a mod like above, containing the policy "change" to
default. If your ipropd-slave then aborts, you have the bug. If not,
is has been fixed somewhere in the chain