[PATCH] Improve krb5 KDC tests, kdc behaviour
Andrew Bartlett
abartlet at samba.org
Fri Jan 30 12:41:12 MST 2015
On Fri, 2015-01-30 at 20:33 +0100, Andreas Schneider wrote:
> On Saturday 31 January 2015 07:54:33 Andrew Bartlett wrote:
> > On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> > > On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > > > Metze,
> > > >
> > > > Attached is some improvements to our KDC test script, and a fix for our
> > > > KDC.
> > >
> > > Andrew,
> > >
> > > Please change
> > >
> > > - if (principal->name.name_string.len >= 2) {
> > > + if (principal->name.name_type == KRB5_NT_PRINCIPAL
> > > + && principal->name.name_string.len >= 2) {
> > >
> > > to
> > >
> > > if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_PRINCIPAL
> > >
> > > && krb5_princ_size(context, principal) >= 2) {
> >
> > Thanks,
> >
> > I'll do that on Monday. I do realise this patch set is both a blessing
> > and a curse (to use an expression) for your efforts, because:
> > - it is the first time we have had a serious test suite for KDC
> > behaviour,
> > - it imposes some quite strict behaviour expectations on both the krb5
> > libs and the KDC and
> > - but it uses Heimdal-specific code (like the ASN.1 parser) and
> > functions that could be implemented in MIT (but are not) like the
> > send_to_kdc hooks to get there.
> >
> > Asking to use the helper functions where available is quite reasonable,
> > and I'll do that.
>
> It makes it easier to rebase out MIT patchset which has quite some patchs
>
> asn at magrathea:~/workspace/projects/samba/git> git w
> ## master-mit-kdc...origin/master [ahead 116]
Indeed!
> > All that said, it has been a very worthwhile effort, because we have
> > found some very interesting and subtle bugs along the way.
> >
> > My updated krb5-upn2 branch shows how we can test the canonicalize flag
> > for the TGS-REQ, shows that we need to fix our tests in that area, and
> > points to a direction for testing S4U2Self and S4U2Proxy behaviour,
> > which I think will become an even more important area in the future.
>
> We probably need the same for MIT Kerberos but currently we still don't
> understand some things.
>
> The current bug I'm trying to hunt down is that Kerberos auth works just fine
> as a user, but not with the machine account ...
>
> kinit works but then gss_init_sec_context() in gensec_gssapi_update() fails
> with:
>
> Matching credential not found
You will see I had exactly that error in my tests - in Heimdal, the
krb5_mk_req_exact() code handles having the wrong case/name of the
target realm, but krb5_get_creds() does not in these combinations:
test_data->canonicalize == false && test_data->enterprise == false
&& (test_data->upper_realm == false || test_data->netbios_realm == true)
Perhaps you have some issues in the server-side canonicalisation code in
your KDC, that is different between machine and user accounts?
My guess is that it is looking for a TGT with the realm, but it is
stored in another case.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list