Termux-packages: package request: krb5-user

I have a pull request for krb5 #588

There is now a package available: apt update && apt install krb5. It hasn't been split up into subpackages (yet), so contains everything from kerberos.

Does krb5 contain krb5-user? I tried it but I couldn't set realm during installation, neither can I find /etc/krb5.conf, which is used to set realm

@zidongtuili Yes, its the same. You need to create a conf file manually. We do not ship a sample config. It should be placed in $PREFIX/etc.

@vishalbiswas Thanks. It did work with $PREFIX/etc/krb5.conf. But I got "cannot find kdc for realm" with default krb5.conf adding the realm (which worked on ubuntu). My settings doesn't have a valid kdc server address, so I thought dns_lookup_kdc = true was used. Maybe because dns was not enabled in turmux or in kerberos?

@zidongtuili c-ares was used as the resolver lib for krb5. Can you share your krb5 config?
EDIT
I'll like to point out that I've packaged it in accordance to the archlinux package instead of ubuntu.
EDIT 2
I agree; the current state of krb5 package is very complex. I'll work on it today.

@vishalbiswas Thanks for the quick response. I'm using http://web.mit.edu/quentin/krb5-config/krb5.conf.debathena-orig
default_realm = is filled with my university, which doesn't appear in the rest of the file. If you do think the realm (the value of default_realm =) matters, I can tell you.

@zidongtuili I've updated the krb5 package #893
If you have an arm device, I can provide you a deb file to test.
EDIT-
no worries, it was merged. Install the new package and report whether it was fixed.
EDIT-2
upload aarch64 deb, too -> https://drive.google.com/drive/folders/0B8Q4yBRb9PSHcVAxbjhZQmszbVU

@vishalbiswas Thank you. Still "Cannot find KDC for realm ... ", also failed with default realm (MIT), maybe because the user name is not registered in MIT. I wonder if I installed it correctly:

1. apt update (apt upgrade)
2. dpkg -i /krb5_1.15.1-1_aarch64.deb
3. apt install -f

The krb5.conf is replaced, so I think the installation succeeded.

Are you able to log in with other accounts? Is there a test account or something? I just worry that if this is because of my local network issue or something, and it might be a waste of time for you

@zidongtuili have setup your realm correctly? Your config's [realms] section should have the realm that you set in default_realm

@vishalbiswas Yes, I've changed default_realm = to my realm

I mean, do you have an entry under [realms] for the realm that you use?

@vishalbiswas No. I only changed default_realm = I don't know the settings for my realm, and it works on ubuntu

I encountered a similar problem. My realm HOME.NIVEX.NET has SRV records to indicate the KDC. kinit does not appear to be able to resolve these.

The krb5 package has been updated once again. Try it out. If the problem persists, its most likely an error in your config. Enable logging and post the output here. And that config that you posted, does it work in others? I mean the exact same config without changes?

@vishalbiswas This is the file tested on Ubuntu 16.04 (Linux deploy) krb5.conf .I replaced part of my realm with X

@zidongtuili remove entries for krb4_config and krb4_realms, and enable logging then try to connect. Make sure that you have the latest package.

Still no joy with the stock krb5.conf.

$ kinit [email protected]
kinit: Cannot find KDC for realm "HOME.NIVEX.NET" while getting initial credentials

I have updated default_realm and manually added an entry under [realms]. I am now getting

$ kinit kjotte
kinit: Cannot contact any KDC for ream 'HOME.NIVEX.NET' while getting initial credentials

I have verified that the KDC mercury.home.nivex.net is pingable from within termux.

Okay, so this happens only with hostnames.
I'll troubleshoot this, meanwhile, specifying actual IP address can be used as a workaround.

Kerberos works perfectly fine for me. I can kinit and get a ticket. But the problem now is that I can't do anything with my kerberos ticket because your openssh wasn't built with kerberos activated. Can you do an openssh build with --with-kerberos5=/usr (or whatever path is appropriate for your build).

I'll note that if this works, you will have solved the long standing problem of lack of kerberos on android!!

@vishalbiswas @fornwall @xeffyr

As today's krb5 package, looking up KDCs using DNS is not enabled yet. I think configuring KDCs in krb5.conf works, although I didn't try.

Please refer to MIT kerberos admin guide's section "Hostnames for KDCs" for why looking up KDCs using DNS is recommended (http://web.mit.edu/KERBEROS/krb5-1.10/krb5-1.10.7/doc/krb5-admin.html#Using-DNS)

As with the DNS-based mechanism for determining the Kerberos realm of a host, we recommend distributing the information this way for use by other sites that may want to interact with yours using Kerberos, even if you don't immediately make use of it within your own site. If you anticipate installing a very large number of machines on which it will be hard to update the Kerberos configuration files, you may wish to do all of your Kerberos service lookups via DNS and not put the information (except for admin_server as noted above) in future versions of your krb5.conf files at all. Eventually, we hope to phase out the listing of server hostnames in the client-side configuration files; making preparations now will make the transition easier in the future.

The recommendation is rephrased since 1.11 (http://web.mit.edu/KERBEROS/krb5-1.11/doc/admin/realm_config.html#hostnames-for-kdcs)

MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as kerberos for the master KDC and kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames.

As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS using SRV records (RFC 2782), assuming the Kerberos realm name is also a DNS domain name.....
...

Since MIT Kerberos 1.15, client can look up KDCs through DNS URI records (http://web.mit.edu/KERBEROS/krb5-1.15/doc/admin/realm_config.html#kdc-discovery)

As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI records (RFC 7553). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a master server. The URI record can convey more information about a realm’s KDCs with a single query.
...

Termux now uses MIT kerberos 1.16.2. Please enable DNS lookup when building the package, thanks.

See #3326