[Bug 488686] [NEW] libpam-krb5-migrate-heimdal asks for wrong principal

[Valentijn Sessink]

Public bug reported:

Client: Ubuntu 8.04.3; server: Ubuntu 8.04.3 with Heimdal KDC. On the client, the following setup:
auth    sufficient      pam_krb5.so
auth    requisite       pam_ldap.so
auth    optional        pam_krb5_migrate.so debug principal=pam/pam
On the server, a "pam/pam" principal with "pam/pam add *" rights.

The client reports correctly (i.e. as you would expect):
login(pam_krb5_migrate)[24697]: Authenticating as principal pam/pam with keytab /etc/security/pam_krb5.keytab.

The server instead reports:
AS-REQ root/admin at KANTOOR.OPENOFFICE.NL from IPv4:192.168.112.50 for kadmin/admin at KANTOOR.OPENOFFICE.NL
UNKNOWN -- root/admin at KANTOOR.OPENOFFICE.NL: No such entry in the database

Strangely enough, the client seems not to register this, as it doesn't
mention the ... "while initializing kadmin interface" error message;
instead, it continues with "username [%s] obtained", then mentions
'Unknown code krb5 6 creating principal "username at KERBEROS.DOMAIN"'.

So the migration does not work.

At first, I thought libpam-krb5-migrate-heimdal was at fault all by
itself. But when I tried the same package on Ubuntu 9.10, it worked as
expected: it got the kadmin/admin principal by logging in as pam/pam,
and added the user correctly.

I wouldn't know where to look next. This looks like a sort of
interfacing problem (why doesn't pam-krb5-migrate.so return an error
when there's no root/admin user available?), but I wouldn't know where
to look for it.

** Affects: pam-krb5-migrate (Ubuntu)
     Importance: Undecided
         Status: New

-- 
libpam-krb5-migrate-heimdal asks for wrong principal
https://bugs.launchpad.net/bugs/488686
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs