[PATCH] Improve krb5 KDC tests, kdc behaviour

Andrew Bartlett abartlet at samba.org
Fri Jan 30 12:58:59 MST 2015


On Fri, 2015-01-30 at 20:52 +0100, Andreas Schneider wrote:
> On Saturday 31 January 2015 08:41:12 Andrew Bartlett wrote:
> > On Fri, 2015-01-30 at 20:33 +0100, Andreas Schneider wrote:
> > > On Saturday 31 January 2015 07:54:33 Andrew Bartlett wrote:
> > > > On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> > > > > On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > > > > > Metze,
> > > > > > 
> > > > > > Attached is some improvements to our KDC test script, and a fix for
> > > > > > our
> > > > > > KDC.
> > > > > 
> > > > > Andrew,
> > > > > 
> > > > > Please change
> > > > > 
> > > > > -	if (principal->name.name_string.len >= 2) {
> > > > > +	if (principal->name.name_type == KRB5_NT_PRINCIPAL
> > > > > +	    && principal->name.name_string.len >= 2) {
> > > > > 
> > > > > to
> > > > > 
> > > > > if (smb_krb5_principal_get_type(context, principal) ==
> > > > > KRB5_NT_PRINCIPAL
> > > > > 
> > > > >     && krb5_princ_size(context, principal) >= 2) {
> > > > 
> > > > Thanks,
> > > > 
> > > > I'll do that on Monday.  I do realise this patch set is both a blessing
> > > > 
> > > > and a curse (to use an expression) for your efforts, because:
> > > >  - it is the first time we have had a serious test suite for KDC
> > > > 
> > > > behaviour,
> > > > 
> > > >  - it imposes some quite strict behaviour expectations on both the krb5
> > > > 
> > > > libs and the KDC and
> > > > 
> > > >  - but it uses Heimdal-specific code (like the ASN.1 parser) and
> > > > 
> > > > functions that could be implemented in MIT (but are not) like the
> > > > send_to_kdc hooks to get there.
> > > > 
> > > > Asking to use the helper functions where available is quite reasonable,
> > > > and I'll do that.
> > > 
> > > It makes it easier to rebase out MIT patchset which has quite some patchs
> > > 
> > > asn at magrathea:~/workspace/projects/samba/git> git w
> > > ## master-mit-kdc...origin/master [ahead 116]
> > 
> > Indeed!
> > 
> > > > All that said, it has been a very worthwhile effort, because we have
> > > > found some very interesting and subtle bugs along the way.
> > > > 
> > > > My updated krb5-upn2 branch shows how we can test the canonicalize flag
> > > > for the TGS-REQ, shows that we need to fix our tests in that area, and
> > > > points to a direction for testing S4U2Self and S4U2Proxy behaviour,
> > > > which I think will become an even more important area in the future.
> > > 
> > > We probably need the same for MIT Kerberos but currently we still don't
> > > understand some things.
> > > 
> > > The current bug I'm trying to hunt down is that Kerberos auth works just
> > > fine as a user, but not with the machine account ...
> > > 
> > > kinit works but then gss_init_sec_context() in gensec_gssapi_update()
> > > fails
> > > with:
> > > 
> > > Matching credential not found
> > 
> > You will see I had exactly that error in my tests - in Heimdal, the
> > krb5_mk_req_exact() code handles having the wrong case/name of the
> > target realm, but krb5_get_creds() does not in these combinations:
> > 
> > test_data->canonicalize == false && test_data->enterprise == false
> > && (test_data->upper_realm == false || test_data->netbios_realm == true)
> > 
> > Perhaps you have some issues in the server-side canonicalisation code in
> > your KDC, that is different between machine and user accounts?
> > 
> > My guess is that it is looking for a TGT with the realm, but it is
> > stored in another case.
> 
> This is what I have guessed, but gd didn't believe it is the issue. The TGT is 
> requested for LOCALADMEMBER$@SAMBA.EXAMPLE.COM and we get a TGT for 
> localadmember$@SAMBA.EXAMPLE.COM ...
> 
> https://www.cloudshark.org/captures/fa35bc16bbb0
> 
> frame 1375 is the request in UPPER case
> frame 1380 is the response in LOWER case

If you run these tests (from a Heimdal build, against your MIT build) I
think it will flush out these issues pretty fast.  This is exactly the
stuff I've got it checking.  From what I see, the principal type isn't
filled in, and it looks like correct behaviour when canonicalize is set.
It might be that the client libs don't really expect canonicalise, and
the difference between your user and machine is if the account is in
upper or lower case in AD.

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list