You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by SHAWN E SMITH <se...@psu.edu> on 2016/08/05 14:13:32 UTC
Kerby Remote KAdmin
All,
We've been working on getting the protocol working against an MIT Kerb instance. Based on byte tracing in wireshark we think we're pretty close, but something is still not lining up cleanly. Has anyone else done a deep dive on this that may be able to provide some feedback on what we're doing? I'd like to find a good way to share what we're doing, but most of it is outside of core kerby so I'm not sure where to put it for others to see it.
Thanks,
Shawn
Any fool can write code that a computer can understand. Good programmers write code that humans can understand.
--Martin Fowler
Shawn Smith
Director of Software Engineering
Administrative Information Services
814-321-5227
ses44@psu.edu
https://keybase.io/ussmith
Fwd: Kerby Remote KAdmin
Posted by Emmanuel Lécharny <el...@gmail.com>.
Transfering this mail to the Kerby Mailing list..
-------- Message transf�r� --------
Delivered-To: elecharny@gmail.com
Received: by 10.79.19.198 with SMTP id 189csp1779640ivt; Fri, 5 Aug
2016 07:13:46 -0700 (PDT)
X-Received: by 10.66.242.201 with SMTP id
ws9mr135372982pac.7.1470406426135; Fri, 05 Aug 2016 07:13:46 -0700 (PDT)
Return-Path: <de...@directory.apache.org>
Received: from mail.apache.org (hermes.apache.org. [140.211.11.3]) by
mx.google.com with SMTP id ik5si20684122pac.111.2016.08.05.07.13.46 for
<el...@gmail.com>; Fri, 05 Aug 2016 07:13:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of
dev-return-54376-elecharny=gmail.com@directory.apache.org designates
140.211.11.3 as permitted sender) client-ip=140.211.11.3;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
dev-return-54376-elecharny=gmail.com@directory.apache.org designates
140.211.11.3 as permitted sender)
smtp.mailfrom=dev-return-54376-elecharny=gmail.com@directory.apache.org
Received: (qmail 74861 invoked by uid 500); 5 Aug 2016 14:13:45 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <ma...@directory.apache.org>
List-Unsubscribe: <ma...@directory.apache.org>
List-Post: <ma...@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: Apache Directory Developers List <de...@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 74833 invoked by uid 99); 5 Aug 2016 14:13:45 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO
spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29)
with ESMTP; Fri, 05 Aug 2016 14:13:45 +0000
Received: from localhost (localhost [127.0.0.1]) by
spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org)
with ESMTP id 3C5B51A0304 for <de...@directory.apache.org>; Fri, 5 Aug
2016 14:13:45 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.726
X-Spam-Level:
X-Spam-Status: No, score=-2.726 tagged_above=-999 required=6.31
tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_MED=-2.3,
RP_MATCHES_RCVD=-1.426] autolearn=disabled
Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost
(spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with
ESMTP id NA8SfIMm2Gj8 for <de...@directory.apache.org>; Fri, 5 Aug 2016
14:13:41 +0000 (UTC)
Received: from tr21g10.aset.psu.edu (tr21g10.aset.psu.edu
[146.186.149.132]) by mx2-lw-eu.apache.org (ASF Mail Server at
mx2-lw-eu.apache.org) with ESMTP id 832145F4E3 for
<de...@directory.apache.org>; Fri, 5 Aug 2016 14:13:40 +0000 (UTC)
Received: from ucs22.ait.psu.edu (ucs22.ait.psu.edu [128.118.73.60]) by
tr21g10.aset.psu.edu (8.14.3/8.14.3) with ESMTP id u75EDXKs1536222 for
<de...@directory.apache.org>; Fri, 5 Aug 2016 10:13:33 -0400
Date: Fri, 5 Aug 2016 10:13:32 -0400 (EDT)
From: SHAWN E SMITH <se...@psu.edu>
To: Apache Directory Developers List <de...@directory.apache.org>
Message-ID: <89...@psu.edu>
Subject: Kerby Remote KAdmin
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [75.102.117.103]
X-Mailer: Zimbra 8.6.0_GA_1194 (ZimbraWebClient - FF49
(Linux)/8.6.0_GA_1194)
Thread-Topic: Kerby Remote KAdmin
Thread-Index: 87rIpHJQQZoqWw1JKySj9TfpcyfV+g==
X-Virus-Scanned: by amavisd-new
All,
We've been working on getting the protocol working against an MIT Kerb instance. Based on byte tracing in wireshark we think we're pretty close, but something is still not lining up cleanly. Has anyone else done a deep dive on this that may be able to provide some feedback on what we're doing? I'd like to find a good way to share what we're doing, but most of it is outside of core kerby so I'm not sure where to put it for others to see it.
Thanks,
Shawn
Any fool can write code that a computer can understand. Good programmers write code that humans can understand.
--Martin Fowler
Shawn Smith
Director of Software Engineering
Administrative Information Services
814-321-5227
ses44@psu.edu
https://keybase.io/ussmith
Re: Kerby Remote KAdmin
Posted by SHAWN E SMITH <se...@psu.edu>.
The problem we're seeing is that the Kerby server admin accounts aren't configured to be compliant with the MIT kadmin account. Kerby allows the user to use a TGT to acquire a service ticket for kadmin, while MIT doesn't, so the auth methods are misaligned. I've recreated some C++ libraries I wrote to do this a while back, hopefully I can use them to help trace through and see where our packets are being malformed.
Thanks for the response, we'll keep plugging and let you know what we figure out.
Shawn
"The programmer … works only slightly removed from pure thought-stuff.
He builds his castles in the air, from air, creating by exertion of the imagination."
— Fred Brooks
Shawn Smith
Director of Software Engineering
Administrative Information Services
Penn State University
814-321-5227
ses44@psu.edu
https://keybase.io/ussmith
----- Original Message -----
From: "Zheng, Kai" <ka...@intel.com>
To: "Apache Directory Developers List" <de...@directory.apache.org>, kerby@directory.apache.org
Sent: Friday, August 5, 2016 5:48:31 PM
Subject: RE: Kerby Remote KAdmin
Hi Shawn,
I don't have a deep dive in that, but I thought what's been going is to get it work first in kerby remote client -> kerby admin server, in a protocol approach (XDR) aligned with MIT Kerberos admin. After that effort will be made to get it work with MIT admin using kerby admin client. Yan Yan is the major contributor but she had left the team so I'm not sure she will keep the contribution or not. Another contributor Qing from the team is working on a remote web UI interface at his willing.
Regards,
Kai
-----Original Message-----
From: SHAWN E SMITH [mailto:ses44@psu.edu]
Sent: Friday, August 05, 2016 10:14 PM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: Kerby Remote KAdmin
All,
We've been working on getting the protocol working against an MIT Kerb instance. Based on byte tracing in wireshark we think we're pretty close, but something is still not lining up cleanly. Has anyone else done a deep dive on this that may be able to provide some feedback on what we're doing? I'd like to find a good way to share what we're doing, but most of it is outside of core kerby so I'm not sure where to put it for others to see it.
Thanks,
Shawn
Any fool can write code that a computer can understand. Good programmers write code that humans can understand.
--Martin Fowler
Shawn Smith
Director of Software Engineering
Administrative Information Services
814-321-5227
ses44@psu.edu
https://keybase.io/ussmith
RE: Kerby Remote KAdmin
Posted by "Zheng, Kai" <ka...@intel.com>.
Hi Shawn,
I don't have a deep dive in that, but I thought what's been going is to get it work first in kerby remote client -> kerby admin server, in a protocol approach (XDR) aligned with MIT Kerberos admin. After that effort will be made to get it work with MIT admin using kerby admin client. Yan Yan is the major contributor but she had left the team so I'm not sure she will keep the contribution or not. Another contributor Qing from the team is working on a remote web UI interface at his willing.
Regards,
Kai
-----Original Message-----
From: SHAWN E SMITH [mailto:ses44@psu.edu]
Sent: Friday, August 05, 2016 10:14 PM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: Kerby Remote KAdmin
All,
We've been working on getting the protocol working against an MIT Kerb instance. Based on byte tracing in wireshark we think we're pretty close, but something is still not lining up cleanly. Has anyone else done a deep dive on this that may be able to provide some feedback on what we're doing? I'd like to find a good way to share what we're doing, but most of it is outside of core kerby so I'm not sure where to put it for others to see it.
Thanks,
Shawn
Any fool can write code that a computer can understand. Good programmers write code that humans can understand.
--Martin Fowler
Shawn Smith
Director of Software Engineering
Administrative Information Services
814-321-5227
ses44@psu.edu
https://keybase.io/ussmith