kadmind error - krb5_recvauth: start_seq_get is not supported in the HDBGET keytab type

Asked by Kartik Subbarao

I'm trying to migrate a heimdal KDC with an OpenLDAP backend from a Debian 5.x server (heimdal 1.2.dfsg.1-2.1) to a Ubuntu 14.04 server (heimdal 1.6~git20131207+dfsg-1ubuntu1.1), and am running into problems with kadmind on the 14.04 system.

Some kerberos functionality works fine -- I can run kinit, get a ticket and use GSSAPI authentication with sshd successfully. I can even use kadmin with the -l option successfully. However, when I leave out the -l option and try to talk to kadmind, I get errors. For example, if I export the kadmin/admin keytab to the file /tmp/kadmin.keytab and run:

    kadmin -p kadmin/admin -K /tmp/kadmin.keytab get kadmin/admin

I get the error:

    kadmind[38823]: krb5_recvauth: start_seq_get is not supported in the HDBGET keytab type

This exact same command, with the exact same kadmin.keytab file, works just fine on the debian 5.x system.

The situation in which I get the above error is where I've either copied the /var/lib/heimdal-kdc/heimdal.db file from the Debian 5.x server to the Ubuntu 14.04 server, or the heimdal.db file is nonexistent. If I use the default heimdal.db file that gets created along with the heimdal package installation, I see a different error from kadmind:

    kadmind[38853]: krb5_recvauth: Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96

I don't understand why the contents of heimdal.db matters, since I'm using an OpenLDAP backend. It seems odd that a static db file is somehow being consulted when the principals are in the LDAP directory. I have verified that I have copied the LDAP directory intact from the Debian 5.x system to the Ubuntu 14.04 system, and there is no master key being used (there is no mkey_file directive, and even if I copy over the default m-key file that was auto-generated originally on the Debian 5.x it doesn't make any difference). Not sure what else I could do to ensure that the configurations are as similar as possible.

I also tried backporting the more recent heimdal 1.6rc2 package to 14.04 but got the same errors. I tried tracing through kadmind's behavior with gdb but nothing jumped out as being an obvious issue.

Does anyone know what might be going on here? Here are /etc/krb5.conf and /etc/heimdal-kdc/kdc.conf files to illustrate the config:

=====

    # /etc/krb5.conf
    [libdefaults]
    default_realm = EXAMPLE.COM
    forwardable = true
    proxiable = true
    renewable = true
    scan_interfaces = true

    [realms]
    EXAMPLE.COM = {
      admin_server = localhost
      kdc = localhost
    }

    [domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

    [logging]
    default = SYSLOG:INFO

 =====

    # /etc/heimdal-kdc/kdc.conf
    [logging]
    kdc = FILE:/var/log/heimdal-kdc.log
    kdc = SYSLOG:INFO

    [kdc]
    database = {
      dbname = ldap:dc=example,dc=com
      hdb-ldap-create-base = ou=Kerberos,dc=example,dc=com
      acl_file = /etc/heimdal-kdc/kadmind.acl
    }

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu heimdal Edit question
Assignee:
No assignee Edit question
Solved by:
Kartik Subbarao
Solved:
Last query:
Last reply:
Revision history for this message
Kartik Subbarao (subbarao) said :
#1

Looks like various code changes between 1.2 and 1.6 led to the problem that I was seeing. To fix the problem, I did the following:

    1. Added the kadmin/admin principal to /etc/krb5.keytab
    2. Appended "--keytab=/etc/krb5.keytab" to the kadmind arguments in /etc/inetd.conf

This tells kadmind to explicitly look in /etc/krb5.keytab (instead of "HDBGET:") for the kadmin/admin principal that it uses to authenticate to kdc.

For more information, see https://github.com/heimdal/heimdal/issues/133