netbsd-bugs: bin/10878: Kerberos passwd problems with 1.5E

Subject: bin/10878: Kerberos passwd problems with 1.5E
To: None <gnats-bugs@gnats.netbsd.org>
From: None <fvdl@netbsd.org>
List: netbsd-bugs
Date: 08/22/2000 07:30:14
>Number:         10878
>Category:       bin
>Synopsis:       Kerberos passwd problems with 1.5E
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 22 07:31:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Frank van der Linden
>Release:        1.5E as of august 21st, 2000, and 1.5_ALPHA2 of the same date
>Organization:
The Multi-headed Dog Appreciation Association.
>Environment:
	
System: NetBSD frank 1.5E NetBSD 1.5E (FRANK) #11: Sat Aug 19 19:58:02 MEST 2000 fvdl@sushi:/work/trees/nfs/sys/arch/i386/compile/FRANK i386


>Description:
	-current Heimdal doesn't seem to play nice with regard to kpasswdd.
	The kpasswd client fails in different ways.

	First of all, there is a bug in roken_getaddrinfo_hostspec();
	it doesn't use SOCK_DGRAM as the default socket type, causing
	getaddrinfo() to fail if you just have "admin_server = blah"
	in your config file. It does work if you explicitly use
	"admin_server = udp/blah". It seems that this might be fixed
	in -current because it uses roken_getaddrinfo_hostspec2(), which
	takes a socket type as an extra argument. On the branch, this
	causes kpasswd to always fail with "bad file descriptor" (see below).

	Secondly, roken_getaddrinfo_hostspec() (and its newer version in
	-current) return the return value from getaddrinfo(). However,
	these error codes are different from plain errnos and krb5
	error codes, so they get interpreted the wrong way. For example
	"service not found for socket type" becomes "bad file descriptor".

	When running a -current kpasswdd on an otherwise 1.5_ALPHA system
	(statically linked to avoid using the wrong libraries), clients
	will have kpasswd exit with

		passwd: krb5_change_password: Message out of order

	However, the password does appear to have been successfully changed.

	-current clients fail against an 1.5_ALPHA2 server with

		passwd: failed to get credentials: ASN.1 value too large

	..immediately after typing in the first password. The server log
	shows "No PA-ENC-TIMESTAMP" messages.

	
>How-To-Repeat:
	Try to change your Kerberos password with a mix of 1.5_ALPHA
	and -current systems.
>Fix:
	For the first problem, a simple

		hints.ai_socktype = SOCK_DGRAM;

	line at the start of roken_getaddrinfo_hostspec will suffice in
	the code on the branch (to avoid pulling the rest up).

	For the other problems: unknown.
>Release-Note:
>Audit-Trail:
>Unformatted: