libpam-krb5-migrate-heimdal asks for wrong principal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-krb5-migrate (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Client: Ubuntu 8.04.3; server: Ubuntu 8.04.3 with Heimdal KDC. On the client, the following setup:
auth sufficient pam_krb5.so
auth requisite pam_ldap.so
auth optional pam_krb5_migrate.so debug principal=pam/pam
On the server, a "pam/pam" principal with "pam/pam add *" rights.
The client reports correctly (i.e. as you would expect):
login(pam_
The server instead reports:
AS-REQ <email address hidden> from IPv4:xxx.
UNKNOWN -- <email address hidden>: No such entry in the database
Strangely enough, the client seems not to register this, as it doesn't mention the ... "while initializing kadmin interface" error message; instead, it continues with "username [%s] obtained", then mentions 'Unknown code krb5 6 creating principal "<email address hidden>"'.
So the migration does not work.
At first, I thought libpam-
I wouldn't know where to look next. This looks like a sort of interfacing problem (why doesn't pam-krb5-migrate.so return an error when there's no root/admin user available?), but I wouldn't know where to look for it.
description: | updated |
Workaround: add a "root/admin" principal to the KDC and give it "add" rights to the KDC database. Export the key for root/admin to /etc/security (or wherever you put your key, using the "keytab=...." option). Then specify "principal= root/admin" for all of the clients you want to migrate.