[PATCH] Improve krb5 KDC tests, kdc behaviour

Andrew Bartlett abartlet at samba.org
Fri Jan 30 12:41:12 MST 2015 

On Fri, 2015-01-30 at 20:33 +0100, Andreas Schneider wrote:
> On Saturday 31 January 2015 07:54:33 Andrew Bartlett wrote:
> > On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> > > On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > > > Metze,
> > > > 
> > > > Attached is some improvements to our KDC test script, and a fix for our
> > > > KDC.
> > > 
> > > Andrew,
> > > 
> > > Please change
> > > 
> > > -	if (principal->name.name_string.len >= 2) {
> > > +	if (principal->name.name_type == KRB5_NT_PRINCIPAL
> > > +	    && principal->name.name_string.len >= 2) {
> > > 
> > > to
> > > 
> > > if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_PRINCIPAL
> > > 
> > >     && krb5_princ_size(context, principal) >= 2) {
> > 
> > Thanks,
> > 
> > I'll do that on Monday.  I do realise this patch set is both a blessing
> > and a curse (to use an expression) for your efforts, because:
> >  - it is the first time we have had a serious test suite for KDC
> > behaviour,
> >  - it imposes some quite strict behaviour expectations on both the krb5
> > libs and the KDC and
> >  - but it uses Heimdal-specific code (like the ASN.1 parser) and
> > functions that could be implemented in MIT (but are not) like the
> > send_to_kdc hooks to get there.
> > 
> > Asking to use the helper functions where available is quite reasonable,
> > and I'll do that.
> 
> It makes it easier to rebase out MIT patchset which has quite some patchs
> 
> asn at magrathea:~/workspace/projects/samba/git> git w
> ## master-mit-kdc...origin/master [ahead 116]

Indeed!

> > All that said, it has been a very worthwhile effort, because we have
> > found some very interesting and subtle bugs along the way.
> > 
> > My updated krb5-upn2 branch shows how we can test the canonicalize flag
> > for the TGS-REQ, shows that we need to fix our tests in that area, and
> > points to a direction for testing S4U2Self and S4U2Proxy behaviour,
> > which I think will become an even more important area in the future.
> 
> We probably need the same for MIT Kerberos but currently we still don't 
> understand some things.
> 
> The current bug I'm trying to hunt down is that Kerberos auth works just fine 
> as a user, but not with the machine account ...
> 
> kinit works but then gss_init_sec_context() in gensec_gssapi_update() fails 
> with:
> 
> Matching credential not found

You will see I had exactly that error in my tests - in Heimdal, the
krb5_mk_req_exact() code handles having the wrong case/name of the
target realm, but krb5_get_creds() does not in these combinations:

test_data->canonicalize == false && test_data->enterprise == false
&& (test_data->upper_realm == false || test_data->netbios_realm == true)

Perhaps you have some issues in the server-side canonicalisation code in
your KDC, that is different between machine and user accounts?

My guess is that it is looking for a TGT with the realm, but it is
stored in another case.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list