From owner-freebsd-security  Thu Jun 25 12:26:47 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA09719
          for freebsd-security-outgoing; Thu, 25 Jun 1998 12:26:47 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from chipweb.ml.org (qmailr@c1003518-a.plstn1.sfba.home.com [24.1.82.47])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA09497
          for <security@freebsd.org>; Thu, 25 Jun 1998 12:25:59 -0700 (PDT)
          (envelope-from ludwigp@bigfoot.com)
Received: (qmail 14071 invoked by uid 666); 25 Jun 1998 19:25:43 -0000
Received: from speedy.chipweb.ml.org (172.16.1.1)
  by inet.chipweb.ml.org with SMTP; 25 Jun 1998 19:25:43 -0000
Message-Id: <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com>
X-Sender: ludwigp@mail.plstn1.sfba.home.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Thu, 25 Jun 1998 12:25:41 -0700
To: security@FreeBSD.ORG
From: Ludwig Pummer <ludwigp@bigfoot.com>
Subject: kerberos su problems betw 2 machines
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I've finally gotten Kerberos (as part of the des distribution) installed on
my 2.2.6-R machine (called fortress, with a DNS cname called kerberos) and
my 2.2.5-R machine (called inet).
my krb.conf:
CHIPWEB.ML.ORG
CHIPWEB.ML.ORG fortress.chipweb.ml.org admin server
CHIPWEB.ML.ORG kerberos.chipweb.ml.org
my krb.realms:
fortress.chipwb.ml.org CHIPWEB.ML.ORG
.chipweb.ml.org CHIPWEB.ML.ORG

fortress is also running my own DNS server, which is why *.chipweb.ml.org
appears as 24.1.82.47 to the outside world, but internally I have 6-7
machines in the domain chipweb.ml.org (using the 172.16.0.0/16 IP range).

I set up kerberos on fortress according to the handbook, creating
passwd.fortress, rcmd.fortress, passwd.inet, rcmd.inet, fortress's srvtab,
and inet's srvtab.
I also created ludwigp and ludwigp.root (for testing the SU acl).

On fortress, logging in as ludwigp gives me my ticket. I can kinit to
ludwigp.root and also su to root (i've set up the .klogin for root to be
"ludwigp.root@CHIPWEB.ML.ORG").

On inet, logging in as ludwigp gives me my ticket. I can kinit to
ludwigp.root and get my ticket, but trying to do su gives me "su: kerberos:
unable to verify rcmd ticket: Incorrect network address (krb_rd_req)".

Another thing which bothered me: I downloaded the kerberized telnet from
ftp://ftp.pdc.kth.se/pub/krb/binaries/i386-unknown-winnt4.0/ and it telnets
into fortress with encryption, giving me my proper tickets (the telnet
program has its own ticket lister). Trying to do the same with inet doesn't
work; i get a normal telnet connection, without encryption or tickets.

Both systems have the r* services disabled in inetd, but the Kerberos
authenticated serverices (r* -k) are enabled. The server is also running
the additional registerd and kpasswdd services.

Any reason why 2.2.5-R's kerberos behaves differently and can't communicate
the same as 2.2.6-R's kerberos?

Another question: If I want kerberos to be the only place the passwords are
stored (since my master.passwd isn't being changed when passwd is used to
change the kerberos password), how would I go about doing that?

--Ludwig Pummer
ludwigp@bigfoot.com
ICQ UIN: 692441   http://chipweb.home.ml.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message