[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Russ Allbery rra@stanford.edu
Thu, 08 Aug 2013 00:15:35 -0700

Harald Barth <haba@kth.se> writes:

> What I understand from the reports I got, some verson of kadmin sets
> something called "policy" after setting "attributes". The policy is set
> to "default" whatever that means.

> kadmin> mod haba
> ....
> Attributes [requires-pre-auth, disallow-postdated]: <ENTER>
> Policy [default]: <ENTER>

> On Ubuntu 13.04:
> This is kadmin 1.5.99 (as it calls itself :-() or
> 1.6~git20120403+dfsg1-2 as the package version is called.

> If you have the bug:

> This policy change to default for the principal is then propagated
> through iprop from the master to the slave. The recieving end then calls
> abort() on the unknown content in the iprop modify. It does not fail if
> you use hprop.

> So the test for the bug is to set up a system with master and slave and
> then issue a mod like above, containing the policy "change" to
> default. If your ipropd-slave then aborts, you have the bug. If not, is
> has been fixed somewhere in the chain
> kadmin->kadmind->ipropd-master->ipropd-slave.

Oh, okay.  Thanks for the information; I'll watch out for that.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>