Cross realm S4U2Self patches rebased on import-lorikeet-heimdal branch

Mon Oct 15 19:23:41 UTC 2018

On Tue, 2018-10-16 at 04:09 +0900, Isaac Boukris wrote:
> On Wed, Oct 10, 2018 at 2:09 PM Andrew Bartlett <abartlet at samba.org> wrote:
> > 
> > On Fri, 2018-09-28 at 21:30 +0530, Isaac Boukris via samba-technical
> > wrote:
> > > On Tue, Sep 25, 2018 at 2:21 PM Andrew Bartlett <abartlet at samba.org> wrote:
> > > > 
> > > > On Mon, 2018-09-24 at 13:43 +0530, Isaac Boukris wrote:
> > > > > I think one significant change in cross realm client code between the
> > > > > two version, is the order of capath vs referral in
> > > > > _krb5_get_cred_kdc_any() which has changed (likely to break some
> > > > > torture expectations).
> > > 
> > > If I revert that change for testing (see attached), it gets rid of all
> > > the transit errors I've seen before my changes.
> > > I think this error (KRB5KDC_ERR_PATH_NOT_ACCEPTED) comes from
> > > get_cred_kdc_referral() when the server name is short and canonicalize
> > > flag is off, and therefore was not seen by the caller when we used to
> > > fallback to capath.
> > > 
> > > [old] $ cat selftest_2018-09-23_10\:50.log |grep "KDC Policy rejects
> > > transited path" |wc -l
> > > 296
> > > [new] $ cat selftest_2018-09-28_15\:06.log |grep "KDC Policy rejects
> > > transited path" |wc -l
> > > 0
> > > 
> > > [old] $ grep "failure:" selftest_2018-09-23_10\:50.log  |wc -l
> > > 1756
> > > [new]$ grep "failure:" selftest_2018-09-28_15\:06.log  |wc -l
> > > 1700
> > > 
> > > Assuming we are ok with that change of order of methods (capath vs
> > > referrals), I'll try to confirm and update the expectation in the
> > > torture test.
> > 
> > That is the right approach.
> 
> I'll try that (soon) and hopefully come with a patch that would reduce
> a bit the failures in the (base) import-lorikeet-heimdal branch.
> 
> > > Otherwise, we might want to introduce new flags to better control what
> > > method to chose, and use those in samba.
> > 
> > If reordering the tests is a nightmare, then do this.  Or we can carry
> > your patch.  It seems unlikely we will ever get to a pure upstream
> > Heimdal anyway (I'm having difficultly getting even simple patches
> > upstream).
> 
> I'd be talking over my head, but I think we could benefit from
> upgrading to a newer Heimdal version even if we don't reach pure
> upstream Heimdal right away. It would also certainly help to make
> subsequent upgrades easier.

Exactly. 

> As regarding my S4U2Self patches, note that I made some progress in
> the MIT front with the help of the upstream team, and got the
> necessary patches applied upstream (see PRs #852 #853 and #860).
> I want to work on the samba side of it soon (help welcome), but before
> that I want to revisit my Heimdal patches with some new insights (and
> also try to add upstream tests to the upstream Heimdal PR).

That would certainly help a lot.

> However, most of the logic is the same and any initial input on the
> current version of it would be highly appreciated (merge request #75).

I'll see what I can do.  I've been on leave but I'll be back trying to
make progress on this over the next couple of weeks.  I'm really
looking forward to working with you on this.  

It can be a lonely business working on the Heimdal stuff and it will be
great to work together better. 

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba