[PATCH] Improve krb5 KDC tests, kdc behaviour
asn at cryptomilk.org
Mon Feb 9 01:41:19 MST 2015
On Monday 09 February 2015 21:32:37 Andrew Bartlett wrote:
> On Mon, 2015-02-09 at 09:11 +0100, Andreas Schneider wrote:
> > On Monday 09 February 2015 13:56:34 Andrew Bartlett wrote:
> > > On Tue, 2015-02-03 at 13:45 +0100, Andreas Schneider wrote:
> > > > We have found the issue. It is in the client code and not in the KDC.
> > > >
> > > > See the attached patch.
> > > >
> > > > -- andreas
> > > >
> > > > Subject: [PATCH] krb5-wrap: Use the principal returned by the KDC to
> > > > create
> > > >
> > > > the ccache
> > > >
> > > > We request a TGT in uppercase from the KDC. We turned on
> > > > canonicalization for that so the KDC returns the principal in
> > > > lowercase
> > > > cause of this. As we use the uppercase prinicpal to create the ccache
> > > > we
> > > > fail to find the tickets we need later because it is stored in the
> > > > incorrect case. You have to use the princial returned by the KDC here.
> > >
> > > This all seems reasonable, except that I can't see where we set
> > > canonicalization on.
> > gensec_update -> gensec_gssapi_client_creds -> cli_credentials_get_ccache
> > -> cli_credentials_get_named_ccache -> kinit_to_ccache ->
> > krb5_get_init_creds_opt_set_win2k
> > krb5_get_init_creds_opt_set_win2k is a Heimdal call which sets
> > KRB5_INIT_CREDS_NO_C_CANON_CHECK
> This appears, as far as I can tell, not to change anything in the
> outgoing or incoming packets. Certainly not the canonicalise flag (I
> assert on that specifically). It is one of the things I test in my
> monster krb5.kdc.canon test suite, because I wrongly assumed it did such
Sounds like a bug in Heimdal then.
With MIT KRB5 we call krb5_get_init_creds_opt_set_canonicalize() which sets
the canonicalize flag. After that we acquire a TGT and the KDC returns a
canonicalized principal. This principal needs to be used to initialize the
ccache so later kerberos calls are able to find the ticket in the cache.
> > > Is that only in your patch series? If not this
> > > difference in the MIT vs Heimdal default behaviour may expose other
> > > issues in other places, or there may still be more to it.
> > No, it is simply wrong if you don't use the principal from the TGT
> > returned by the KDC to initialize the ccache!
> I still think that if this 'fixes' things, even if it is right, that it
> may indicate another difference that may matter. In our recent testing
> work, we found small, 'irrelevant' errors in almost unrelated test
> suites were the only protection we had against whole classes of
Samba has added something pretty ugly in order to do cannonicalization in
See source4/heimdal/lib/krb5/ticket.c line 690
* this is really a ugly hack, to support using the Netbios Domain Name
* as realm against windows KDC's, they always return the full realm
* based on the DNS Name.
flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
I wouldn't be surprised if this hides some bugs in Heimdal ...
More information about the samba-technical