[PATCH] Improve krb5 KDC tests, kdc behaviour

Andrew Bartlett abartlet at samba.org
Sun Feb 8 17:56:34 MST 2015


On Tue, 2015-02-03 at 13:45 +0100, Andreas Schneider wrote:
> 
> We have found the issue. It is in the client code and not in the KDC.
> 
> See the attached patch.
> 
> 
>         -- andreas

> Subject: [PATCH] krb5-wrap: Use the principal returned by the KDC to
> create
>  the ccache
> 
> We request a TGT in uppercase from the KDC. We turned on
> canonicalization for that so the KDC returns the principal in
> lowercase
> cause of this. As we use the uppercase prinicpal to create the ccache
> we
> fail to find the tickets we need later because it is stored in the
> incorrect case. You have to use the princial returned by the KDC here.

This all seems reasonable, except that I can't see where we set
canonicalization on.  Is that only in your patch series?  If not this
difference in the MIT vs Heimdal default behaviour may expose other
issues in other places, or there may still be more to it. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list