Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Many alligators will be slain, but the swamp will remain.

devel / comp.protocols.kerberos / Re: kadmin not working after server migration, but kdc works

SubjectAuthor
o Re: kadmin not working after server migration, but kdc worksWouter Verhelst

1
Re: kadmin not working after server migration, but kdc works

<mailman.103.1663775123.8148.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=302&group=comp.protocols.kerberos#302

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: w@uter.be (Wouter Verhelst)
Newsgroups: comp.protocols.kerberos
Subject: Re: kadmin not working after server migration, but kdc works
Date: Wed, 21 Sep 2022 17:44:40 +0200
Organization: none
Lines: 41
Message-ID: <mailman.103.1663775123.8148.kerberos@mit.edu>
References: <YynL5A9eZog8XQNu@pc220518.home.grep.be>
<03a01502-744e-d72f-d8b5-bff5e2980826@mit.edu>
<Yyn8l/Qed7tgqZqU@pc220518.home.grep.be> <871qs5yg3g.fsf@hope.eyrie.org>
<YyrBL9bEEmFayl3U@pc220518.home.grep.be>
<b0aeb636-a019-59fa-67c7-105255a1f1ac@mit.edu>
<YysxaGpWfFiNJMrV@pc220518.home.grep.be>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="31078"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Greg Hudson <ghudson@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=uter.be
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1663775119; cv=pass;
b=h8StfTcBTrMhksAXDQQPXLph3uOK1ycdpAm7Wn+YAhfWKptvt6sw1Wrtm3fafMyU1H6p+gPIOOos0+aX5PCdUPFg/SD49IOtiXXiCyKvsAend1JqSUpke+pFiGnDjHy3/8KaxelVnNaNTnp417mFFCvMyrqBFQLjSKMQmNiX4j3jg9ZaTZZ0HTcC4ZYu+baKq45dVmI+6xqvGKo8VZVHX72/5Ot7CswgtYZZJ4Twd2BjUVkH2c4LN02dBH4t5NTm+4XxxXuSsrLJZmG8Mrzc4M1hhH/b8b7ror70nDYXe0nVS+/4NLbpeOvaypV7NP3iGbeDlTv5RCBw5cgl9f+ypA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1663775119;
c=relaxed/relaxed; bh=Ptn52RicOz524IqOEQOV7wiQZgO4oXL30suPqdncSDk=;
h=DKIM-Signature:DKIM-Signature:Date:From:To:Subject:Message-ID:
MIME-Version;
b=N04iG/Op2z+NcksESkXmjXGw0xtt3r0Kb+ow/p9/F7GvjzceBu49zO/u8h2yLOaLiUlbLcltYvtjYpPin66QxTdOCwlmXZZAyDp0ETY+KA94X2+SD4RB1626I80Ay6EhmnTToHZO+rMvyWCCyq323w9ABXfWfgMkNc4CYMYwudh4RTRCUbyefCXGC+KKcyu8iTCLYijuHrFY4nkOs7nRlt5xKbbC27MEF6pfI30uuCbRKxEQxtzTu5OPtproFMwnkwNjF6ocQpy5OWSiYtsrUE/uUKU+feT545EXtlg5HwJpR7vtkIt0kTdTcTAty0wRXGVppE9GX/jrFg0swnrrBQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=OWR9EsAs;
dkim=pass (2048-bit key) header.d=uter.be header.i=@uter.be header.b=alluZd3n
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=OWR9EsAs;
dkim=pass (2048-bit key) header.d=uter.be header.i=@uter.be header.b=alluZd3n
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=DeW3qwGc1Tn1kmplH1qpihK/HpWJZ2weCzbWQfqaOj7EUoLRd0d2HtA39uCNNH6q6Hh9AWk3yai7WtLliUXrWDL/yXWnvZNS3rRU8GBPD4pFgnpk+tHfQ/3UeCaRF/MkNdSaRDHHGvVnrQUPKI/JMFQVYJjm5SDgHrwFpCHWqEYpUQNpOilDaCYUMGf1/u2TPaNUcreYTgsO4UnX9cmGtZPPrJjc/zpTV/XT3PmGU11iobI70wxbV6bJUp54rKiOqq5f3zz61MHM979tyTkZZCadYXBf/tVLNjpJFe9b9OKRJrwo67tSvCBLPSwFketqdjVLOwn9FEK2ef+aRVsU1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Ptn52RicOz524IqOEQOV7wiQZgO4oXL30suPqdncSDk=;
b=Kbz99i1/U9IZlinL19kOhu3Pvq/waUa7xyeoK+dZAM+eDUZZpWCMFmRIEnUWQyBfMxvHgnu7xZCU3ZRBmdaMpzQnGpFhgApZcF8fnDykKLW1DpcJGlPaiJcdZiVhrDbKASpXDGGbS9iUDUIplHCGRR+2AGmQluHO6ABm6O/gMM7U3Fz/K/coofXWOCoAeIiYfXB7+IF15Pm/YdYWClRLqMPDR+dF86Dln1PK5EpMSoy9mOrbtT5YosA6G4LBwdgLxWjhHDHEUU0zX2vh69S22zUeGd1HLo5AgQMReFNcpkXzaHejs/fhDhTmoLaI+0e2I5LfQFUqdVu1Hl5wu1DPCA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
144.76.219.42) smtp.rcpttodomain=mit.edu smtp.mailfrom=uter.be; dmarc=pass
(p=none sp=none pct=100) action=none header.from=uter.be; dkim=pass
(signature was verified) header.d=uter.be; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Ptn52RicOz524IqOEQOV7wiQZgO4oXL30suPqdncSDk=;
b=OWR9EsAs1o5sgGcrR3OXvlwUphAQ5z9iIML5sfzrbqWOBUQDkj0x0mXKQ97VXnW/e3X68mKoDoh8qL/94QD/i3jFDhWZM9Pw5MKP8wwq+OtCkG4MinEGMJLSkbkhLp3ZJo9KBLvGINIihL1rEDcoBENtVnjkWFjMqedr4YuRvAk=
Authentication-Results: spf=pass (sender IP is 144.76.219.42)
smtp.mailfrom=uter.be; dkim=pass (signature was verified)
header.d=uter.be;dmarc=pass action=none header.from=uter.be;
Received-SPF: Pass (protection.outlook.com: domain of uter.be designates
144.76.219.42 as permitted sender) receiver=protection.outlook.com;
client-ip=144.76.219.42; helo=lounge.grep.be; pr=C
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=uter.be;
s=2021.lounge; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=Ptn52RicOz524IqOEQOV7wiQZgO4oXL30suPqdncSDk=; b=alluZd3n7VWBOkl9g1S5COD++R
X1SRewyhn5DCHvlDzBl12+OGFfRbEq+AwJP+uMc5qI83ECNMwYxttQCV+de1JOGU5r4n7ac7mg7oC
WomO7KL/7j+mwI1WnzO2CQnDgodBOIShlAsDo6qb6uFrz4o8Qer5kpPYWKIHwazKqJKZvxT+VPSMz
zCnYl1CGtIqFxM70MZM5D8NOhPd520hJbywwg3fxNcpjoVvVxriNegAkN5L8xFpjBnLD9vJB12S2b
hrpfd29pUiOpM7ZhqnmUOixF8xz+ZjYaS94oV7e/vPe1kpQy4U6+ZXSOVFO4gwMVLOpY4pHWZgQZe
YsThj5Lw==;
Content-Disposition: inline
In-Reply-To: <b0aeb636-a019-59fa-67c7-105255a1f1ac@mit.edu>
X-Speed: Gates' Law: Every 18 months, the speed of software halves.
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM11FT069:EE_|DM6PR01MB5034:EE_
X-MS-Office365-Filtering-Correlation-Id: a52e367c-18d5-4a23-7428-08da9be838ac
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: u6Rt4qIHR4Swy10JLPuOy+R9cdC7px5GeU2E/Ipc++6cvSwpF9V/rIOS8wgiCIAa/qkmGE2WtEoqH0y2HEK1Rs6D0fmWnL7/hUzayvV9SOkR5af6azIFQ1pMK3xP02ebkkRHDEU0JCyjccek03LU0F6bekVF0ag+2ayMgltf1+8fanECbJp0DA+y5tPhJdNcmvGQokeIgLN8UsqXmF06IcPes9AmhhUNWhMQ15uxkb3+T/I7sHCOpq7zUFg8fmzbWmK0Pda3PGA74ID67Z+cKu8khjA7bySAIktP5C7gk1kYwK/3Bsi6QSlCcFFuN6RIW2It11A4up7kox6aY+ceJDsRkqgWgY1d0WFWR1nzkWKF+OLfMbtUCJqG/XLt/mWOV8zYCP1rlO/F1d6+8jMJh3fpLhWWpjrYo+Tc4islpraxPQbQMttUm7K9rmk522lhf6YY/iGtfkE5qgk1Qx5GErn9nFTS8LhwQEgsxtFHQfMj6xy8VbHLdre5X5aLpgQe5c2tzruTy5GFRJfTdKFFQ/5QclPQFGXgbWTSAgoPehaTtbWnfUqdNfIKHSrqqreEg+5Oyv3zyuTsy04suTbHN1qETZQezMcDefs636xejMy2B6D9p6UeyiKe2ExNiz8r5R4wqVfM45NWa6Cp/O2+xOQfnmkgu0x4gvkl5ztq5ZtYYi7G/DKZ7diin8LS1xTBs7QlQYGdBKV128wmg+akor1n/4+8rWVLXyCKMOgHSs3uUf6F72+C19rAIST4nIRJ5EgLBf4Gyxp/jxtGHLOGvQ==
X-Forefront-Antispam-Report: CIP:144.76.219.42; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:lounge.grep.be; PTR:lounge.grep.be; CAT:NONE;
SFS:(13230022)(4636009)(346002)(396003)(376002)(39860400002)(136003)(451199015)(26005)(9686003)(7596003)(7636003)(2906002)(36916002)(8676002)(4326008)(70586007)(5001810100001)(83380400001)(49246003)(9746002)(53546011)(498600001)(6862004)(9786002)(5660300002)(356005)(86362001)(336012)(426003)(68406010)(786003)(316002)(88636004)(49092004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Sep 2022 15:44:51.1734 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a52e367c-18d5-4a23-7428-08da9be838ac
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT069.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB5034
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <YysxaGpWfFiNJMrV@pc220518.home.grep.be>
X-Mailman-Original-References: <YynL5A9eZog8XQNu@pc220518.home.grep.be>
<03a01502-744e-d72f-d8b5-bff5e2980826@mit.edu>
<Yyn8l/Qed7tgqZqU@pc220518.home.grep.be> <871qs5yg3g.fsf@hope.eyrie.org>
<YyrBL9bEEmFayl3U@pc220518.home.grep.be>
<b0aeb636-a019-59fa-67c7-105255a1f1ac@mit.edu>
 by: Wouter Verhelst - Wed, 21 Sep 2022 15:44 UTC

On Wed, Sep 21, 2022 at 10:29:57AM -0400, Greg Hudson wrote:
> On 9/21/22 03:45, Wouter Verhelst wrote:
> > default_principal_expiration = 0
>
> This value is failing to parse as a timestamp. Removing this line
> appears to clear up the config parsing error, and the default should
> have the same effect.

Yes, that seems to fix the issue -- at least kadmin.local works again.

\o/

Thanks!

> I see that the documentation for default_principal_expiration says "The
> default value is 0, which means no expiration date." I see how someone
> would get that from the code when writing the documentation, but clearly
> the documented default should be something that parses. (I think you'd
> have to write out the beginning of the POSIX time epoch--in local
> time--in something like yyyymmddhhmmss format to get this default.) The
> whole concept of default_principal_expiration as an absolute time seems
> suspect to me; I have trouble imagining a productive realm configuration
> where every new principal by default expires on some particular fixed date.
>
> I don't see any meaningful differences between the current code in this
> area and the code going back fifteen years or so. So I'm not sure how
> this broke during a migration.

The migration was quite a while ago; it is possible (given this error,
perhaps a better way to put it is "likely") that I fiddled with the
configuration files while migrating to the new server (while wanting to
"clean things up" or some such) and forgot about it in the time since.

Sincerest apologies for the confusion there, but a heartfelt thanks for
helping me fix it! I never would've found that by myself...

--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

I will have a Tin-Actinium-Potassium mixture, thanks.

devel / comp.protocols.kerberos / Re: kadmin not working after server migration, but kdc works

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor