Patch: System keytab usage improvements

Andrew Bartlett abartlet at samba.org
Tue Jun 1 02:47:06 GMT 2004 

On Tue, 2004-06-01 at 12:16, Dan Perry wrote:

I certainly would not keep anything more than kvno - 2 or a week, but
lets just do kvno -1 for now, we can always fix it later.

> Like I mentioned above, things will probably head towards using secrets.tdb
> eventually.   However, this patch is getting kind of big already.  Perhaps
> maybe using secrets.tdb could come after the patch at hand is merged.  I'd be
> happy to work on getting secrets.tdb to store a better keytab structure...

OK.  It's just easier to extract these things when we can hold a patch
over their heads ;-)

> Upon re-reading the email I sent, perhaps I should explain the changes my
> patch makes to kerberos_verify() a little more clearly.   The patch does not
> create a situation in which kerberos_verify would break, by changing
> kerberos_verify() to be keytab only.   The patched kerberos_verify() works
> like this:
> 
> 	FIRST PASS - checks the keys in the keytab, if it even exists.   If a
> key works, great, the session succeeds.
> 
> 	SECOND PASS - if the keys in the keytab fail, (for example if the
> keytab doesn't exist, the system admin doesn't have a correct reverse dns
> zone, etc.)  Then kerberos_verify() tries to use the machine password from
> secrets.tdb to make keys, just like it the function did before the patch was
> applied.  
> 
> 	THIRD PASS - nothing left to try, NT_STATUS_ACCESS_DENIED is
> returned.
> 
> This behavior should be completely backwards compatible and just as lenient
> to a poor Kerberos / dns setup as the kerberos_verify() function was before
> the patch.   It does, however, let users with existing Kerberos sessions keys
> continue to use those keys after a machine password change.  However, if you
> know a better way to implement, please let me know.

That makes it sound much more reasonable. 

On particular issues:

Your configure test needs to be much more careful about security. 
Execute it in the build directory, at the very least, and perhaps use
mkstemp():

+    krb5_init_context(&context);
+    if (krb5_kt_resolve(context, "WRFILE:/tmp/whatever", &keytab))
+      exit(0);
+    exit(1);

(If there are systems with kerberos, but without mkstemp(), you can 
use our utility replacement)

Also, did all these people really write your new kerberos_keytab.c?

--- samba-3.0.5pre1/source/libads/kerberos_keytab.c	2004-05-06 17:14:58.000000000 -0400
+++ samba-3.0.5pre1/source/libads/kerberos_keytab.c	2004-05-31 15:16:31.000000000 -0400
@@ -0,0 +1,115 @@
+/*
+   Unix SMB/CIFS implementation.
+   kerberos keytab utility library
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Remus Koos 2001
+   Copyright (C) Luke Howard 2003
+   Copyright (C) Guenther Deschner 2003
+   Copyright (C) Jim McDonough (jmcd at us.ibm.com) 2003
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.

Please don't do a copy & past of copyright notices, unless you really copied code.

Is this magic number from somewhere?  How do we know it won't change?
--- samba-3.0.5pre1/source/utils/net_ads.c	2004-04-04 03:37:38.000000000 -0400
+++ samba-3.0.5pre1/source/utils/net_ads.c	2004-05-31 16:43:19.000000000 -0400

+#ifndef MAX_KEYTAB_NAME_LEN
+#define MAX_KEYTAB_NAME_LEN 511
+#endif

Once these are fixed/justified, I'm happy with the patch, subject to testing.

I do however need our release manger (jerry) to indicate his feeling, as
we are pretty 'stable' with 3.0 at the moment. 

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040601/006bdd8b/attachment.bin

More information about the samba-technical mailing list