client-tools crash with heimdal and expired accounts

Love lha at stacken.kth.se
Sat Nov 13 21:11:55 GMT 2004


Guenther Deschner <gd at sernet.de> writes:

> thanks for your quick response again.

Just remember to put interesting stuff (like kerberos, krb or heimdal) in
the subject (or just cc me), otherwise I might fail to see the mail.

> On Fri, Nov 12, 2004 at 02:28:38AM +0100, Love wrote:
>> Why does heimdal fall over ? I create test program and it doesn't seem to
>> happen (attached).
>
> Yes. That's true for heimdal-0.6.3, It's the way
> krb5_get_init_creds_password() is called from within
> source/libads/kerberos.c in samba3: We pass NULL instead of
> krb5_get_init_creds_opt. But if we would pass 
>
> 	krb5_get_init_creds_opt opt;
> 	krb5_get_init_creds_opt_init(&opt);
>
> we would get a perfect password-change with an empty password with our
> prompter :)

So won't this be the way to go then ?

I've fixed this bug in both the 0.6 branch and head for this problem,
tonight snapshot should contain the fixes.

> The current behaviour (triggered by "net ads status -U
> expired_account%expired_pass) with heimdal-0.6.3:
>
> -----8<------------------snip--------------8<--------------
> Program received signal SIGSEGV, Segmentation fault.
> krb5_get_init_creds_password (context=0x8295048, creds=0xbfffea10,
> client=0x82949f8, password=0x8292a50 "suse", prompter=0x813e8e0
> <kerb_prompter>, data=0x0,
>     start_time=0, in_tkt_service=0x0, options=0x0) at init_creds_pw.c:296
> 296         if (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
> ----->8------------------snap-------------->8--------------
>
>
> BTW: I noticed your test program segfaults with 0.6-snapshots as of
> yesterday after a couple of loops in krb5_get_in_cred:

I can't seen how the loop get entered more then twice ?

BTW, you know that krb5_get_in_cred is deprecated by MIT.

> To get back to my initial proposal: shouldn't we delete the kerb_prompter
> completly from samba, as it is just there apparently to workaround an old
> and buggy MIT-release? We rely on working kerberos-libraries on several
> other occasions (for example a fixed heimdal-release to avoid memleaks
> within samba in conjunction with in-memory credential-caches). Or should
> we start having configure.in-checks for library-segfaults now ? ;-)

Just figure out what releases you want to support and add autoconf test for
that.

>> I talked to Tom Yu at IETF about the api, and it seems it was created
>> sometimes in 1997 by cygnus folk in cooperation with mit (any maybe assar,
>> can't remember). The discuession should be in archives somewhere,
>> maybe. Only only text I've been able to find in in heimdal sourcetree
>> $heimdalsrc/doc/init-creds. I'll fold that into the man documentation in
>> Heimdal.
>
> thanks! I really appreciate more docs in heimdal.

Heimdal current contains manpages for most (440 of 513 functions), so it
will be an improvement. Most manpages could be better, so if you find
anything unclear, please tell me, and I'll try to fix it.

Love

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 823 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20041113/c65635d7/attachment.bin


More information about the samba-technical mailing list