[PATCH] Improve krb5 KDC tests, kdc behaviour
Andreas Schneider
asn at cryptomilk.org
Mon Feb 9 01:11:13 MST 2015
On Monday 09 February 2015 13:56:34 Andrew Bartlett wrote:
> On Tue, 2015-02-03 at 13:45 +0100, Andreas Schneider wrote:
> > We have found the issue. It is in the client code and not in the KDC.
> >
> > See the attached patch.
> >
> > -- andreas
> >
> > Subject: [PATCH] krb5-wrap: Use the principal returned by the KDC to
> > create
> >
> > the ccache
> >
> > We request a TGT in uppercase from the KDC. We turned on
> > canonicalization for that so the KDC returns the principal in
> > lowercase
> > cause of this. As we use the uppercase prinicpal to create the ccache
> > we
> > fail to find the tickets we need later because it is stored in the
> > incorrect case. You have to use the princial returned by the KDC here.
>
> This all seems reasonable, except that I can't see where we set
> canonicalization on.
gensec_update -> gensec_gssapi_client_creds -> cli_credentials_get_ccache ->
cli_credentials_get_named_ccache -> kinit_to_ccache ->
krb5_get_init_creds_opt_set_win2k
krb5_get_init_creds_opt_set_win2k is a Heimdal call which sets
KRB5_INIT_CREDS_NO_C_CANON_CHECK
> Is that only in your patch series? If not this
> difference in the MIT vs Heimdal default behaviour may expose other
> issues in other places, or there may still be more to it.
No, it is simply wrong if you don't use the principal from the TGT returned by
the KDC to initialize the ccache!
-- andreas
More information about the samba-technical
mailing list