Cross realm S4U2Self patches rebased on import-lorikeet-heimdal branch
iboukris at gmail.com
Mon Oct 15 19:09:15 UTC 2018
On Wed, Oct 10, 2018 at 2:09 PM Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2018-09-28 at 21:30 +0530, Isaac Boukris via samba-technical
> > On Tue, Sep 25, 2018 at 2:21 PM Andrew Bartlett <abartlet at samba.org> wrote:
> > >
> > > On Mon, 2018-09-24 at 13:43 +0530, Isaac Boukris wrote:
> > > > I think one significant change in cross realm client code between the
> > > > two version, is the order of capath vs referral in
> > > > _krb5_get_cred_kdc_any() which has changed (likely to break some
> > > > torture expectations).
> > If I revert that change for testing (see attached), it gets rid of all
> > the transit errors I've seen before my changes.
> > I think this error (KRB5KDC_ERR_PATH_NOT_ACCEPTED) comes from
> > get_cred_kdc_referral() when the server name is short and canonicalize
> > flag is off, and therefore was not seen by the caller when we used to
> > fallback to capath.
> > [old] $ cat selftest_2018-09-23_10\:50.log |grep "KDC Policy rejects
> > transited path" |wc -l
> > 296
> > [new] $ cat selftest_2018-09-28_15\:06.log |grep "KDC Policy rejects
> > transited path" |wc -l
> > 0
> > [old] $ grep "failure:" selftest_2018-09-23_10\:50.log |wc -l
> > 1756
> > [new]$ grep "failure:" selftest_2018-09-28_15\:06.log |wc -l
> > 1700
> > Assuming we are ok with that change of order of methods (capath vs
> > referrals), I'll try to confirm and update the expectation in the
> > torture test.
> That is the right approach.
I'll try that (soon) and hopefully come with a patch that would reduce
a bit the failures in the (base) import-lorikeet-heimdal branch.
> > Otherwise, we might want to introduce new flags to better control what
> > method to chose, and use those in samba.
> If reordering the tests is a nightmare, then do this. Or we can carry
> your patch. It seems unlikely we will ever get to a pure upstream
> Heimdal anyway (I'm having difficultly getting even simple patches
I'd be talking over my head, but I think we could benefit from
upgrading to a newer Heimdal version even if we don't reach pure
upstream Heimdal right away. It would also certainly help to make
subsequent upgrades easier.
As regarding my S4U2Self patches, note that I made some progress in
the MIT front with the help of the upstream team, and got the
necessary patches applied upstream (see PRs #852 #853 and #860).
I want to work on the samba side of it soon (help welcome), but before
that I want to revisit my Heimdal patches with some new insights (and
also try to add upstream tests to the upstream Heimdal PR).
However, most of the logic is the same and any initial input on the
current version of it would be highly appreciated (merge request #75).
More information about the samba-technical