[PATCH] Improve krb5 KDC tests, kdc behaviour

Tue Feb 3 05:45:46 MST 2015

On Saturday 31 January 2015 09:08:15 Andrew Bartlett wrote:
> On Sat, 2015-01-31 at 08:58 +1300, Andrew Bartlett wrote:
> > On Fri, 2015-01-30 at 20:52 +0100, Andreas Schneider wrote:
> > > On Saturday 31 January 2015 08:41:12 Andrew Bartlett wrote:
> > > > On Fri, 2015-01-30 at 20:33 +0100, Andreas Schneider wrote:
> > > > > On Saturday 31 January 2015 07:54:33 Andrew Bartlett wrote:
> > > > > > On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> > > > > > > On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > > > > > > > Metze,
> > > > > > > > 
> > > > > > > > Attached is some improvements to our KDC test script, and a
> > > > > > > > fix for
> > > > > > > > our
> > > > > > > > KDC.
> > > > > > > 
> > > > > > > Andrew,
> > > > > > > 
> > > > > > > Please change
> > > > > > > 
> > > > > > > -	if (principal->name.name_string.len >= 2) {
> > > > > > > +	if (principal->name.name_type == KRB5_NT_PRINCIPAL
> > > > > > > +	    && principal->name.name_string.len >= 2) {
> > > > > > > 
> > > > > > > to
> > > > > > > 
> > > > > > > if (smb_krb5_principal_get_type(context, principal) ==
> > > > > > > KRB5_NT_PRINCIPAL
> > > > > > > 
> > > > > > >     && krb5_princ_size(context, principal) >= 2) {
> > > > > > 
> > > > > > Thanks,
> > > > > > 
> > > > > > I'll do that on Monday.  I do realise this patch set is both a
> > > > > > blessing
> > > > > > 
> > > > > > and a curse (to use an expression) for your efforts, because:
> > > > > >  - it is the first time we have had a serious test suite for KDC
> > > > > > 
> > > > > > behaviour,
> > > > > > 
> > > > > >  - it imposes some quite strict behaviour expectations on both the
> > > > > >  krb5
> > > > > > 
> > > > > > libs and the KDC and
> > > > > > 
> > > > > >  - but it uses Heimdal-specific code (like the ASN.1 parser) and
> > > > > > 
> > > > > > functions that could be implemented in MIT (but are not) like the
> > > > > > send_to_kdc hooks to get there.
> > > > > > 
> > > > > > Asking to use the helper functions where available is quite
> > > > > > reasonable,
> > > > > > and I'll do that.
> > > > > 
> > > > > It makes it easier to rebase out MIT patchset which has quite some
> > > > > patchs
> > > > > 
> > > > > asn at magrathea:~/workspace/projects/samba/git> git w
> > > > > ## master-mit-kdc...origin/master [ahead 116]
> > > > 
> > > > Indeed!
> > > > 
> > > > > > All that said, it has been a very worthwhile effort, because we
> > > > > > have
> > > > > > found some very interesting and subtle bugs along the way.
> > > > > > 
> > > > > > My updated krb5-upn2 branch shows how we can test the canonicalize
> > > > > > flag
> > > > > > for the TGS-REQ, shows that we need to fix our tests in that area,
> > > > > > and
> > > > > > points to a direction for testing S4U2Self and S4U2Proxy
> > > > > > behaviour,
> > > > > > which I think will become an even more important area in the
> > > > > > future.
> > > > > 
> > > > > We probably need the same for MIT Kerberos but currently we still
> > > > > don't
> > > > > understand some things.
> > > > > 
> > > > > The current bug I'm trying to hunt down is that Kerberos auth works
> > > > > just
> > > > > fine as a user, but not with the machine account ...
> > > > > 
> > > > > kinit works but then gss_init_sec_context() in
> > > > > gensec_gssapi_update()
> > > > > fails
> > > > > with:
> > > > > 
> > > > > Matching credential not found
> > > > 
> > > > You will see I had exactly that error in my tests - in Heimdal, the
> > > > krb5_mk_req_exact() code handles having the wrong case/name of the
> > > > target realm, but krb5_get_creds() does not in these combinations:
> > > > 
> > > > test_data->canonicalize == false && test_data->enterprise == false
> > > > && (test_data->upper_realm == false || test_data->netbios_realm ==
> > > > true)
> > > > 
> > > > Perhaps you have some issues in the server-side canonicalisation code
> > > > in
> > > > your KDC, that is different between machine and user accounts?
> > > > 
> > > > My guess is that it is looking for a TGT with the realm, but it is
> > > > stored in another case.
> > > 
> > > This is what I have guessed, but gd didn't believe it is the issue. The
> > > TGT is requested for LOCALADMEMBER$@SAMBA.EXAMPLE.COM and we get a TGT
> > > for localadmember$@SAMBA.EXAMPLE.COM ...
> > > 
> > > https://www.cloudshark.org/captures/fa35bc16bbb0
> > > 
> > > frame 1375 is the request in UPPER case
> > > frame 1380 is the response in LOWER case
> > 
> > If you run these tests (from a Heimdal build, against your MIT build) I
> > think it will flush out these issues pretty fast.  This is exactly the
> > stuff I've got it checking.  From what I see, the principal type isn't
> > filled in, and it looks like correct behaviour when canonicalize is set.
> > It might be that the client libs don't really expect canonicalise, and
> > the difference between your user and machine is if the account is in
> > upper or lower case in AD.
> 
> Start with the tests that are already in master, then the ones attached
> in this thread, then finally the tests in my krb5-upn2 branch, which
> contains these and some more that pass Windows 2012R2, but not
> Samba/Heimdal yet.  Between them all, a seriously good amount of our
> required KDC behaviour is now asserted, which is really great!

We have found the issue. It is in the client code and not in the KDC.

See the attached patch.

	-- andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-krb5-wrap-Use-the-principal-returned-by-the-KDC-to-c.patch
Type: text/x-patch
Size: 1360 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150203/54c0af65/attachment.bin>