[PATCH] Improve debugging in gensec_gssapi

Jeremy Allison jra at samba.org
Wed Sep 2 18:27:04 UTC 2015 

On Wed, Sep 02, 2015 at 05:01:40PM +1200, Andrew Bartlett wrote:
> This should give a little less confusion when debugging gensec_gssapi
> in the future. 
> 
> Please review/push

Andrew, just one question here.

In the KRB5KRB_AP_ERR_TKT_NYV case, this changes
the return from NT_STATUS_TIME_DIFFERENCE_AT_DC to
NT_STATUS_INVALID_PARAMETER in the case GENSEC_SERVER
case.

That's a behavior change - is it intentional ?

Jeremy.

> Andrew Bartlett
> -- 
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT   
> https://catalyst.net.nz/services/samba
> 
> 
> 
> 

> From 7e5f89cb0eb641d6a12fb9dc4eca45f4f267c284 Mon Sep 17 00:00:00 2001
> From: Andrew Bartlett <abartlet at samba.org>
> Date: Wed, 2 Sep 2015 15:02:01 +1200
> Subject: [PATCH] gensec_gssapi: Improve debug messages
> 
> In particular, the KRB5KRB_AP_ERR_TKT_EXPIRED can happen on the server as well as the client
> 
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> ---
>  source4/auth/gensec/gensec_gssapi.c | 65 +++++++++++++++++++++++++++++--------
>  1 file changed, 52 insertions(+), 13 deletions(-)
> 
> diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> index ed6d08a..46bd32b 100644
> --- a/source4/auth/gensec/gensec_gssapi.c
> +++ b/source4/auth/gensec/gensec_gssapi.c
> @@ -533,11 +533,6 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
>  			OM_uint32 lifetime = 0;
>  			gss_cred_usage_t usage;
>  			const char *role = NULL;
> -			DEBUG(0, ("GSS %s Update(krb5)(%d) Update failed, credentials expired during GSSAPI handshake!\n",
> -				  role,
> -				  gensec_gssapi_state->gss_exchange_count));
> -
> -			
>  			switch (gensec_security->gensec_role) {
>  			case GENSEC_CLIENT:
>  				creds = gensec_gssapi_state->client_cred->creds;
> @@ -549,6 +544,10 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
>  				break;
>  			}
>  
> +			DEBUG(0, ("GSS %s Update(krb5)(%d) Update failed, credentials expired during GSSAPI handshake!\n",
> +				  role,
> +				  gensec_gssapi_state->gss_exchange_count));
> +
>  			maj_stat = gss_inquire_cred(&min_stat, 
>  						    creds,
>  						    &name, &lifetime, &usage, NULL);
> @@ -591,15 +590,55 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
>  					     gss_mech_krb5)) {
>  			switch (min_stat) {
>  			case KRB5KRB_AP_ERR_TKT_NYV:
> -				DEBUG(1, ("Error with ticket to contact %s: possible clock skew between us and the KDC or target server: %s\n",
> -					  gensec_gssapi_state->target_principal,
> -					  gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
> -				return NT_STATUS_TIME_DIFFERENCE_AT_DC; /* Make SPNEGO ignore us, we can't go any further here */
> +				switch (gensec_security->gensec_role) {
> +				case GENSEC_CLIENT:
> +					DEBUG(1, ("Error with our ticket used to contact %s: "
> +						  "possible clock skew between us and the "
> +						  "KDC or target server: %s\n",
> +						  gensec_gssapi_state->target_principal,
> +						  gssapi_error_string(out_mem_ctx, maj_stat,
> +								      min_stat,
> +								      gensec_gssapi_state->gss_oid)));
> +					/* Make SPNEGO ignore us, we can't go any further here */
> +					return NT_STATUS_TIME_DIFFERENCE_AT_DC;
> +					break;
> +				case GENSEC_SERVER:
> +					DEBUG(1, ("Error with ticket used by client: "
> +						  "possible clock skew between us and the "
> +						  "KDC or client: %s\n",
> +						  gssapi_error_string(out_mem_ctx, maj_stat,
> +								      min_stat,
> +								      gensec_gssapi_state->gss_oid)));
> +					/* Make SPNEGO ignore us, we can't go any further here */
> +					return NT_STATUS_INVALID_PARAMETER;
> +					break;
> +				}
>  			case KRB5KRB_AP_ERR_TKT_EXPIRED:
> -				DEBUG(1, ("Error with ticket to contact %s: ticket is expired, possible clock skew between us and the KDC or target server: %s\n",
> -					  gensec_gssapi_state->target_principal,
> -					  gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
> -				return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
> +				switch (gensec_security->gensec_role) {
> +				case GENSEC_CLIENT:
> +					DEBUG(1, ("Error with ticket to contact %s: "
> +						  "ticket is expired, possible "
> +						  "clock skew between us and "
> +						  "the KDC or target server: %s\n",
> +						  gensec_gssapi_state->target_principal,
> +						  gssapi_error_string(out_mem_ctx,
> +								      maj_stat,
> +								      min_stat,
> +								      gensec_gssapi_state->gss_oid)));
> +					/* Make SPNEGO ignore us, we can't go any further here */
> +					return NT_STATUS_INVALID_PARAMETER;
> +				case GENSEC_SERVER:
> +					DEBUG(1, ("Error with ticket used by client: "
> +						  "ticket is expired, possible "
> +						  "clock skew between us and the "
> +						  "KDC or client: %s\n",
> +						  gssapi_error_string(out_mem_ctx,
> +								      maj_stat,
> +								      min_stat,
> +								      gensec_gssapi_state->gss_oid)));
> +					/* Make SPNEGO ignore us, we can't go any further here */
> +					return NT_STATUS_INVALID_PARAMETER;
> +				}
>  			case KRB5_KDC_UNREACH:
>  				DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticket to %s: %s\n",
>  					  gensec_gssapi_state->target_principal,
> -- 
> 2.5.0
>

More information about the samba-technical mailing list