[PATCH] Improve krb5 KDC tests, kdc behaviour

Mon Feb 9 01:52:56 MST 2015

On Mon, 2015-02-09 at 09:41 +0100, Andreas Schneider wrote:
> On Monday 09 February 2015 21:32:37 Andrew Bartlett wrote:
> > On Mon, 2015-02-09 at 09:11 +0100, Andreas Schneider wrote:
> > > On Monday 09 February 2015 13:56:34 Andrew Bartlett wrote:
> > > > On Tue, 2015-02-03 at 13:45 +0100, Andreas Schneider wrote:
> > > > > We have found the issue. It is in the client code and not in the KDC.
> > > > > 
> > > > > See the attached patch.
> > > > > 
> > > > >         -- andreas
> > > > > 
> > > > > Subject: [PATCH] krb5-wrap: Use the principal returned by the KDC to
> > > > > create
> > > > > 
> > > > >  the ccache
> > > > > 
> > > > > We request a TGT in uppercase from the KDC. We turned on
> > > > > canonicalization for that so the KDC returns the principal in
> > > > > lowercase
> > > > > cause of this. As we use the uppercase prinicpal to create the ccache
> > > > > we
> > > > > fail to find the tickets we need later because it is stored in the
> > > > > incorrect case. You have to use the princial returned by the KDC here.
> > > > 
> > > > This all seems reasonable, except that I can't see where we set
> > > > canonicalization on.
> > > 
> > > gensec_update -> gensec_gssapi_client_creds -> cli_credentials_get_ccache
> > > -> cli_credentials_get_named_ccache -> kinit_to_ccache ->
> > > krb5_get_init_creds_opt_set_win2k
> > > 
> > > krb5_get_init_creds_opt_set_win2k is a Heimdal call which sets
> > > KRB5_INIT_CREDS_NO_C_CANON_CHECK
> > 
> > This appears, as far as I can tell, not to change anything in the
> > outgoing or incoming packets.  Certainly not the canonicalise flag (I
> > assert on that specifically).  It is one of the things I test in my
> > monster krb5.kdc.canon test suite, because I wrongly assumed it did such
> > things.
> 
> Sounds like a bug in Heimdal then.
> 
> With MIT KRB5 we call krb5_get_init_creds_opt_set_canonicalize() which sets 
> the canonicalize flag. After that we acquire a TGT and the KDC returns a 
> canonicalized principal. This principal needs to be used to initialize the 
> ccache so later kerberos calls are able to find the ticket in the cache.

That is a different setting entirely to set_win2k().  I also test for
set_canonicalize and this indeed does set the canonicalize flag in the
AS-REQ. 

> > > > Is that only in your patch series?  If not this
> > > > difference in the MIT vs Heimdal default behaviour may expose other
> > > > issues in other places, or there may still be more to it.
> > > 
> > > No, it is simply wrong if you don't use the principal from the TGT
> > > returned by the KDC to initialize the ccache!
> > 
> > I still think that if this 'fixes' things, even if it is right, that it
> > may indicate another difference that may matter.  In our recent testing
> > work, we found small, 'irrelevant' errors in almost unrelated test
> > suites were the only protection we had against whole classes of
> > errors.
> 
> Samba has added something pretty ugly in order to do cannonicalization in 
> Heimdal.
> 
> See source4/heimdal/lib/krb5/ticket.c line 690
> 
> 
>     /*
>      * HACK:
>      * this is really a ugly hack, to support using the Netbios Domain Name
>      * as realm against windows KDC's, they always return the full realm
>      * based on the DNS Name.
>      */
>     flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
>     flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
> 
> 
> I wouldn't be surprised if this hides some bugs in Heimdal ...

This doesn't set canonicalisation, what it does do is allow a the KDC to
perform it, as Windows KDCs will indeed change the realm component, no
matter if canonicalize was set in the AS-REQ or not.

Andrew Bartlett