Update: Kerberos Ticket Forwarding Patch/Update [3.2]

Fri Aug 8 19:08:35 GMT 2008

Jeremy,

I just got to this patch, been a long week unfortunately. The updates you provided, although missing krb5_auth_con_set_req_cksumtype are also missing all the GSS API calls needed to make this work.

You removed the function I write which called krb5_fwd_tgt_creds() and made it call directly, but we still have to compose the GSS API and put the ticket within it:

	p = pChksum;

	SIVAL(p, 0, GSSAPI_BNDLENGTH);
	p += 4;

	/* Zero out the bindings fields */
	memset(p, 0x0, GSSAPI_BNDLENGTH );
	p += GSSAPI_BNDLENGTH;

	SIVAL(p, 0, GSS_C_DELEG_FLAG );
	p += 4;
	SSVAL(p, 0, 1 );
	p += 2;
	SSVAL(p, 0, fwdData.length );
	p += 2;

	/* Migrate the kerberos KRB_CRED data to the checksum delegation */
	memcpy(p, fwdData.data, fwdData.length );
	p += fwdData.length;

	/* We need to do this in order to allow our GSS-API  */
	retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
	if (retval) {
		goto out;
	}

	/* We now have a service ticket, now turn it into an AP-REQ. */
	authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);

	/* Caller should call free() when they're done with this. */
	authenticator->data = (char *)pChksum;

I'm putting that part in so that the client will make the correct connection.

Derrick

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Friday, August 01, 2008 18:24
To: Derrick Schommer
Cc: Jeremy Allison; samba-technical at lists.samba.org; Love Hörnquist Åstrand
Subject: Re: Update: Kerberos Ticket Forwarding Patch/Update [3.2]

On Fri, Aug 01, 2008 at 05:18:13PM -0400, Derrick Schommer wrote:
> Yeah, give me some time to mess around with it, the data length is exactly the same, so presumably it's wrapping and unwrapping and re-wrapping. I'm looking into it, I'm off on Holiday on Monday but I'll be back on Tuesday. I'm trying to re-learn all the stuff I've forgotten over the years on this. I think I buried it from my mind to defend myself from the insanity :)
> 
> What probably occurred was getting this to work initially was a huge bear trying to understand all the MIT Kerberos inner workings and other memory leaks that existed in the libraries (which I bugged and they fixed). Then, once I got it working I was so happy I stopped exploring further. There is a possibility I may have spun a few extra cycles wrapping and unwrapping without knowing.

Yes, I remember running into the horrors that were MIT krb5 memory leaks
myself :-). No one knows how to use this API correctly :-).

Ok, here is a version that calls krb5_fwd_tgt_creds() directly.
I also removed the krb5_auth_con_set_req_cksumtype() of type
GSSAPI_CHECKSUM, as that's not defined in the
krb5_auth_con_set_req_cksumtype() interface. Do we still need
that, do the libraries use that checksum type by default
or will the receiving code just use whatever checksum
is defined in the packet ?

I'm at LinuxWorld SF Mon-Wed next week, so I'll pick up
what you have again on thurs. (or earlier if I get some
time).

Jeremy.