Kerberos Ticket without principal?
Rafael Toucedo
rtoucedo at optaresolutions.com
Tue Jul 26 00:13:12 MDT 2011
can you post your /etc/krb5.conf ?
El 22/07/2011 19:20, Christian M Ambach escribió:
> Hi list,
>
> I have seen a smbd built from v3-6-test crashing today in
> get_user_from_kerberos_info()
> because princ_name was null and it then tripped over that in the following
> line:
> strchr_m(princ_name, '@').
> Unfortunately, I couldn't save away a log or core file and I wasn't able
> to
> recreate it yet :(
>
> What do you think might have gone wrong here? Did the Windows box send an
> invalid
> Kerberos ticket or did we fail to parse it somewhere?
>
> My naive approach to prevent further coredumps would be to add a safeguard
> before the
> strchr_m line, something like:
>
> --- a/source3/auth/user_krb5.c
> +++ b/source3/auth/user_krb5.c
> @@ -49,6 +49,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX
> *mem_ctx,
>
> DEBUG(3, ("Kerberos ticket principal name is [%s]\n",
> princ_name));
>
> + if (!princ_name) {
> + DEBUG(3, ("Ticket as empty principal!\n"));
> + return NT_STATUS_LOGON_FAILURE;
> + }
> +
> p = strchr_m(princ_name, '@');
> if (!p) {
> DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
>
> Would that be good enough without having more debug data?
> Other proposals?
>
> Cheers,
> Christian
--
*Rafael Toucedo Muñoz* | Coordinador equipo de sistemas
www.optaresolutions.com
<http://www.optaresolutions.com>
Optare Solutions <http://optarecoolvendor.com><http://optarecoolvendor.com>
More information about the samba-technical
mailing list