[PATCH] Improve krb5 KDC tests, kdc behaviour

Andreas Schneider asn at cryptomilk.org
Mon Feb 9 01:41:19 MST 2015 

On Monday 09 February 2015 21:32:37 Andrew Bartlett wrote:
> On Mon, 2015-02-09 at 09:11 +0100, Andreas Schneider wrote:
> > On Monday 09 February 2015 13:56:34 Andrew Bartlett wrote:
> > > On Tue, 2015-02-03 at 13:45 +0100, Andreas Schneider wrote:
> > > > We have found the issue. It is in the client code and not in the KDC.
> > > > 
> > > > See the attached patch.
> > > > 
> > > >         -- andreas
> > > > 
> > > > Subject: [PATCH] krb5-wrap: Use the principal returned by the KDC to
> > > > create
> > > > 
> > > >  the ccache
> > > > 
> > > > We request a TGT in uppercase from the KDC. We turned on
> > > > canonicalization for that so the KDC returns the principal in
> > > > lowercase
> > > > cause of this. As we use the uppercase prinicpal to create the ccache
> > > > we
> > > > fail to find the tickets we need later because it is stored in the
> > > > incorrect case. You have to use the princial returned by the KDC here.
> > > 
> > > This all seems reasonable, except that I can't see where we set
> > > canonicalization on.
> > 
> > gensec_update -> gensec_gssapi_client_creds -> cli_credentials_get_ccache
> > -> cli_credentials_get_named_ccache -> kinit_to_ccache ->
> > krb5_get_init_creds_opt_set_win2k
> > 
> > krb5_get_init_creds_opt_set_win2k is a Heimdal call which sets
> > KRB5_INIT_CREDS_NO_C_CANON_CHECK
> 
> This appears, as far as I can tell, not to change anything in the
> outgoing or incoming packets.  Certainly not the canonicalise flag (I
> assert on that specifically).  It is one of the things I test in my
> monster krb5.kdc.canon test suite, because I wrongly assumed it did such
> things.

Sounds like a bug in Heimdal then.

With MIT KRB5 we call krb5_get_init_creds_opt_set_canonicalize() which sets 
the canonicalize flag. After that we acquire a TGT and the KDC returns a 
canonicalized principal. This principal needs to be used to initialize the 
ccache so later kerberos calls are able to find the ticket in the cache.

> > > Is that only in your patch series?  If not this
> > > difference in the MIT vs Heimdal default behaviour may expose other
> > > issues in other places, or there may still be more to it.
> > 
> > No, it is simply wrong if you don't use the principal from the TGT
> > returned by the KDC to initialize the ccache!
> 
> I still think that if this 'fixes' things, even if it is right, that it
> may indicate another difference that may matter.  In our recent testing
> work, we found small, 'irrelevant' errors in almost unrelated test
> suites were the only protection we had against whole classes of
> errors.

Samba has added something pretty ugly in order to do cannonicalization in 
Heimdal.

See source4/heimdal/lib/krb5/ticket.c line 690


    /*
     * HACK:
     * this is really a ugly hack, to support using the Netbios Domain Name
     * as realm against windows KDC's, they always return the full realm
     * based on the DNS Name.
     */
    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
    flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;


I wouldn't be surprised if this hides some bugs in Heimdal ...


	-- andreas

More information about the samba-technical mailing list