[PATCH] Improve krb5 KDC tests, kdc behaviour

Andrew Bartlett abartlet at samba.org
Mon Feb 9 01:32:37 MST 2015 

On Mon, 2015-02-09 at 09:11 +0100, Andreas Schneider wrote:
> On Monday 09 February 2015 13:56:34 Andrew Bartlett wrote:
> > On Tue, 2015-02-03 at 13:45 +0100, Andreas Schneider wrote:
> > > We have found the issue. It is in the client code and not in the KDC.
> > > 
> > > See the attached patch.
> > > 
> > >         -- andreas
> > > 
> > > Subject: [PATCH] krb5-wrap: Use the principal returned by the KDC to
> > > create
> > > 
> > >  the ccache
> > > 
> > > We request a TGT in uppercase from the KDC. We turned on
> > > canonicalization for that so the KDC returns the principal in
> > > lowercase
> > > cause of this. As we use the uppercase prinicpal to create the ccache
> > > we
> > > fail to find the tickets we need later because it is stored in the
> > > incorrect case. You have to use the princial returned by the KDC here.
> > 
> > This all seems reasonable, except that I can't see where we set
> > canonicalization on.
> 
> gensec_update -> gensec_gssapi_client_creds -> cli_credentials_get_ccache -> 
> cli_credentials_get_named_ccache -> kinit_to_ccache -> 
> krb5_get_init_creds_opt_set_win2k
> 
> krb5_get_init_creds_opt_set_win2k is a Heimdal call which sets 
> KRB5_INIT_CREDS_NO_C_CANON_CHECK

This appears, as far as I can tell, not to change anything in the
outgoing or incoming packets.  Certainly not the canonicalise flag (I
assert on that specifically).  It is one of the things I test in my
monster krb5.kdc.canon test suite, because I wrongly assumed it did such
things. 

> > Is that only in your patch series?  If not this
> > difference in the MIT vs Heimdal default behaviour may expose other
> > issues in other places, or there may still be more to it.
> 
> No, it is simply wrong if you don't use the principal from the TGT returned by 
> the KDC to initialize the ccache!

I still think that if this 'fixes' things, even if it is right, that it
may indicate another difference that may matter.  In our recent testing
work, we found small, 'irrelevant' errors in almost unrelated test
suites were the only protection we had against whole classes of
errors.  

The krb5.kdc testsuite is an attempt to be much more purposeful and
scientific about that.

Andrew Bartlett

More information about the samba-technical mailing list