[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document
Russ Allbery
rra@stanford.edu
Thu, 08 Aug 2013 00:15:35 -0700
Harald Barth <haba@kth.se> writes:
> What I understand from the reports I got, some verson of kadmin sets
> something called "policy" after setting "attributes". The policy is set
> to "default" whatever that means.
> kadmin> mod haba
> ....
> Attributes [requires-pre-auth, disallow-postdated]: <ENTER>
> Policy [default]: <ENTER>
> On Ubuntu 13.04:
> This is kadmin 1.5.99 (as it calls itself :-() or
> 1.6~git20120403+dfsg1-2 as the package version is called.
> If you have the bug:
> This policy change to default for the principal is then propagated
> through iprop from the master to the slave. The recieving end then calls
> abort() on the unknown content in the iprop modify. It does not fail if
> you use hprop.
> So the test for the bug is to set up a system with master and slave and
> then issue a mod like above, containing the policy "change" to
> default. If your ipropd-slave then aborts, you have the bug. If not, is
> has been fixed somewhere in the chain
> kadmin->kadmind->ipropd-master->ipropd-slave.
Oh, okay. Thanks for the information; I'll watch out for that.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>