Copying principals to another realm

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Copying principals to another realm

Victor Sudakov
Dear Colleagues,

I would like to copy some user principals from one realm to another
while retaining their keys/passwords. Which is the correct way to do
it a) within one multi-realm KDC b) between two KDCs?

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Henry B (Hank) Hotz, CISSP-2
If both are Heimdal, then I’ve done:

kadmin -l dump —decrypt | grep ‘^principal’ >xfr.file
kadmin -l merge xfr.file

If it’s between implementations, then the only general solution is to independently create them with a password (a really long/good password). I’ve written no code, but I’ve generally advocated the creation of a keytab import capability as a solution to this problem. If that’s been done, then I’d be interested in which implementations it’s been done with.

> On Sep 16, 2016, at 2:48 AM, Victor Sudakov <[hidden email]> wrote:
>
> Dear Colleagues,
>
> I would like to copy some user principals from one realm to another
> while retaining their keys/passwords. Which is the correct way to do
> it a) within one multi-realm KDC b) between two KDCs?
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:[hidden email]

Personal email.  [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Victor Sudakov
Henry B (Hank) Hotz, CISSP wrote:
> > I would like to copy some user principals from one realm to another
> > while retaining their keys/passwords. Which is the correct way to do
> > it a) within one multi-realm KDC b) between two KDCs?

> If both are Heimdal, then I???ve done:
>
> kadmin -l dump --decrypt | grep ^principal >xfr.file
> kadmin -l merge xfr.file

Yes, but the xfr.file will contain principals with realms appended,
but I want to copy principals into a different realm.

Of course, I can use sed/awk to change the realm suffixes:

kadmin -l dump -d | grep ^principal |\
  sed  's/OLD\.REALM/NEW.REALM/' >xfr.file

but are you sure the keys don't depend somehow on those suffixes
(maybe hashed realm suffixes, I dunno).


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Love Hörnquist Åstrand

16 sep. 2016 kl. 22:07 skrev Victor Sudakov <[hidden email]>:

Henry B (Hank) Hotz, CISSP wrote:
I would like to copy some user principals from one realm to another
while retaining their keys/passwords. Which is the correct way to do
it a) within one multi-realm KDC b) between two KDCs?

If both are Heimdal, then I???ve done:

kadmin -l dump --decrypt | grep ^principal >xfr.file
kadmin -l merge xfr.file

Yes, but the xfr.file will contain principals with realms appended,
but I want to copy principals into a different realm.

Of course, I can use sed/awk to change the realm suffixes:

kadmin -l dump -d | grep ^principal |\
sed  's/OLD\.REALM/NEW.REALM/' >xfr.file

but are you sure the keys don't depend somehow on those suffixes
(maybe hashed realm suffixes, I dunno).

you need to use rename inside kadmin, so import w/o the sed and the rename.

This makes sure the salt is updated, your sed statement doesn’t do that.

Love

Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Victor Sudakov
Love H??rnquist ??strand wrote:

> >      I would like to copy some user principals from one realm to another
> >      while retaining their keys/passwords. Which is the correct way to do
> >      it a) within one multi-realm KDC b) between two KDCs?
> >
> >      If both are Heimdal, then I???ve done:
> >      kadmin -l dump --decrypt | grep ^principal >xfr.file
> >      kadmin -l merge xfr.file
> >
> >      Yes, but the xfr.file will contain principals with realms appended,
> >      but I want to copy principals into a different realm.
> >      Of course, I can use sed/awk to change the realm suffixes:
> >      kadmin -l dump -d | grep ^principal |\
> >      sed  's/OLD\.REALM/NEW.REALM/' >xfr.file
> >      but are you sure the keys don't depend somehow on those suffixes
> >      (maybe hashed realm suffixes, I dunno).
>
>    you need to use rename inside kadmin, so import w/o the sed and
>    the rename.  This makes sure the salt is updated, your sed
>    statement doesn't do that.

This won't work withing a multi-realm KDC because I need to copy, not
rename.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Love Hörnquist Åstrand

  you need to use rename inside kadmin, so import w/o the sed and
  the rename.  This makes sure the salt is updated, your sed
  statement doesn't do that.

This won't work withing a multi-realm KDC because I need to copy, not
rename.

your sed trick will only work for keys not salted with principal. If you have principal salted keys (default) If you don’t want to use rename, you must unpack the key and set a the default salt type (i.e. that rename does).

Love

Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Lars-Johan Liman-2
In reply to this post by Victor Sudakov
Hi!

[hidden email]:
> This won't work withing a multi-realm KDC because I need to copy, not
> rename.

Hmm What if you

1) "export" the existing ones to an xfr file (as described)
2) Rename the ones that are still in the database to the new realm name.
   (This gives you the new realm name, but you loose the old one.)
3) Then import from the xfr file and _don't_ change the realm in there.
   (This gives you back the old realm name.)

You should now have two entries for each such user - one with the old
realm name, and one with the new.

Of am I, as usual, totally off the mark? ;-)

                                Best regards,
                                  /Lars-Johan Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.               !  E-mail: [hidden email]
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm   !  http://www.netnod.se/
#----------------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Paul Robert Marino
In reply to this post by Love Hörnquist Åstrand
have you looked at using aliases?
in hemdal you can create aliases for principals as other principals
even in other realms.
it works well with a few exceptions.
1) you can only use kpasswd on the original principal or you get an error
2) kadmin has some order of operations issues with it if you use an
alias as an admin principal.
there were also 1 or 2 other weird quarks i found with it too but all
thing considered when I've worked in environment with multiple realms,
and it means that the users only have to change their password in 1
place.
that said there are usually other ways to handle this such as trusts
and cpaths which you should probably consider first.


On Mon, Sep 19, 2016 at 11:45 AM, Love Hörnquist Åstrand <[hidden email]> wrote:

>
>   you need to use rename inside kadmin, so import w/o the sed and
>   the rename.  This makes sure the salt is updated, your sed
>   statement doesn't do that.
>
>
> This won't work withing a multi-realm KDC because I need to copy, not
> rename.
>
>
> your sed trick will only work for keys not salted with principal. If you
> have principal salted keys (default) If you don’t want to use rename, you
> must unpack the key and set a the default salt type (i.e. that rename does).
>
> Love
>
Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Henry B (Hank) Hotz, CISSP-2
In reply to this post by Victor Sudakov
I’ve done it with cross-realm principals so I needed to keep the realm intact.

I’m assuming, now, that *you* want to move [hidden email] to [hidden email] without changing the password. The standard password-string-to-key algorithm uses the realm name as salt in the algorithm, so that may not work if you’re naive about it.

Assuming you’re running a version of Heimdal which saves the password salt in the text dump, then you should be able to simply change the realm in the principal name (column 1, ‘:’-delimited). Do NOT change the realm in the salt values in subsequent columns. This should do what you want as long as the clients respect the salt values supplied in the extra handshake. I wouldn’t guarantee that all clients will do so.

If you’re running both realms from the same DB, then what others have said about the rename command applies. It will do the change I described above, and you can restore the original principal to keep both.

If you’re using aliases, then note that aliases must be globally unique.

If both principals are supposed to be kept in sync permanently, then I would consider a password quality plugin for the purpose. Aliases make me nervous, but maybe they shouldn’t.

> On Sep 16, 2016, at 10:07 PM, Victor Sudakov <[hidden email]> wrote:
>
> Henry B (Hank) Hotz, CISSP wrote:
>>> I would like to copy some user principals from one realm to another
>>> while retaining their keys/passwords. Which is the correct way to do
>>> it a) within one multi-realm KDC b) between two KDCs?
>
>> If both are Heimdal, then I???ve done:
>>
>> kadmin -l dump --decrypt | grep ^principal >xfr.file
>> kadmin -l merge xfr.file
>
> Yes, but the xfr.file will contain principals with realms appended,
> but I want to copy principals into a different realm.
>
> Of course, I can use sed/awk to change the realm suffixes:
>
> kadmin -l dump -d | grep ^principal |\
> sed  's/OLD\.REALM/NEW.REALM/' >xfr.file
>
> but are you sure the keys don't depend somehow on those suffixes
> (maybe hashed realm suffixes, I dunno).
>
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:[hidden email]

Personal email.  [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Copying principals to another realm

Victor Sudakov
In reply to this post by Paul Robert Marino
Paul Robert Marino wrote:
> have you looked at using aliases?

Never even heard of them. I'm using Heimdal 1.1.0, probably aliases
are not there yet.


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]