Update: Kerberos Ticket Forwarding Patch/Update [3.2]
Derrick Schommer
dschommer at F5.com
Fri Aug 8 19:08:35 GMT 2008
Jeremy,
I just got to this patch, been a long week unfortunately. The updates you provided, although missing krb5_auth_con_set_req_cksumtype are also missing all the GSS API calls needed to make this work.
You removed the function I write which called krb5_fwd_tgt_creds() and made it call directly, but we still have to compose the GSS API and put the ticket within it:
p = pChksum;
SIVAL(p, 0, GSSAPI_BNDLENGTH);
p += 4;
/* Zero out the bindings fields */
memset(p, 0x0, GSSAPI_BNDLENGTH );
p += GSSAPI_BNDLENGTH;
SIVAL(p, 0, GSS_C_DELEG_FLAG );
p += 4;
SSVAL(p, 0, 1 );
p += 2;
SSVAL(p, 0, fwdData.length );
p += 2;
/* Migrate the kerberos KRB_CRED data to the checksum delegation */
memcpy(p, fwdData.data, fwdData.length );
p += fwdData.length;
/* We need to do this in order to allow our GSS-API */
retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
if (retval) {
goto out;
}
/* We now have a service ticket, now turn it into an AP-REQ. */
authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
/* Caller should call free() when they're done with this. */
authenticator->data = (char *)pChksum;
I'm putting that part in so that the client will make the correct connection.
Derrick
-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org]
Sent: Friday, August 01, 2008 18:24
To: Derrick Schommer
Cc: Jeremy Allison; samba-technical at lists.samba.org; Love Hörnquist Åstrand
Subject: Re: Update: Kerberos Ticket Forwarding Patch/Update [3.2]
On Fri, Aug 01, 2008 at 05:18:13PM -0400, Derrick Schommer wrote:
> Yeah, give me some time to mess around with it, the data length is exactly the same, so presumably it's wrapping and unwrapping and re-wrapping. I'm looking into it, I'm off on Holiday on Monday but I'll be back on Tuesday. I'm trying to re-learn all the stuff I've forgotten over the years on this. I think I buried it from my mind to defend myself from the insanity :)
>
> What probably occurred was getting this to work initially was a huge bear trying to understand all the MIT Kerberos inner workings and other memory leaks that existed in the libraries (which I bugged and they fixed). Then, once I got it working I was so happy I stopped exploring further. There is a possibility I may have spun a few extra cycles wrapping and unwrapping without knowing.
Yes, I remember running into the horrors that were MIT krb5 memory leaks
myself :-). No one knows how to use this API correctly :-).
Ok, here is a version that calls krb5_fwd_tgt_creds() directly.
I also removed the krb5_auth_con_set_req_cksumtype() of type
GSSAPI_CHECKSUM, as that's not defined in the
krb5_auth_con_set_req_cksumtype() interface. Do we still need
that, do the libraries use that checksum type by default
or will the receiving code just use whatever checksum
is defined in the packet ?
I'm at LinuxWorld SF Mon-Wed next week, so I'll pick up
what you have again on thurs. (or earlier if I get some
time).
Jeremy.
More information about the samba-technical
mailing list