Heimdal upgrade, really happening this time

Andrew Bartlett abartlet at samba.org
Mon Aug 9 09:07:26 UTC 2021 

On Mon, 2021-08-09 at 10:53 +0200, Stefan Metzmacher wrote:
> Am 09.08.21 um 03:37 schrieb Andrew Bartlett:
> > On Mon, 2021-08-09 at 11:12 +1200, Andrew Bartlett via samba-
> > technical
> > wrote:
> > > On Fri, 2021-07-09 at 22:29 +1200, Andrew Bartlett via samba-
> > > technical
> > > wrote:
> > > > We now have a mostly-working branch of current Heimdal on
> > > > current
> > > > Samba, compiling on all our supported system, which is pretty
> > > > impressive.
> > > 
> > > I just wanted to wrap back to the list with an update.  Thanks to
> > > some
> > > great work with Luke Howard recently, host of our pull requests
> > > with
> > > Heimdal have either been merged or will be shortly (as in, I made
> > > the
> > > requested changes and expect them to be accepted).
> > > 
> > > This means that we are actually fairly close to upstream Heimdal,
> > > closer than we ever have been I dare to suggest.
> > > 
> > > The remaining changes outstanding are:
> > > ...
> > 
> > There are also, which were on the Samba side, the attached.
> > 
> > I'm not really sure about them - I think
> > 
> > source4/heimdal/lib/krb5/init_creds_pw.c
> > KRB5_NT_ENTERPRISE_PRINCIPAL
> > ctx->flags.canonicalize = 1
> > 
> > is trying to do the same as the Samba-side commit:
> > 
> > testprogs/blackbox/ --enterprise --canonicalize
> > 
> > Is that the case, and so could we drop the Heimdal side now?
> 
> I don't think enterprise principals will work without canonicalize
> and we have also non-blackbox cases we need to handle.
> 
> Just try and check if all our tests still work.
> It seems our C code uses krb5_get_init_creds_opt_set_canonicalize(),
> so we may not need that patch.

OK, I will do.  

That horrible krb5.kdc.canon C based tests show what happens if you
have enterprise without canonicalise, I wish the KDCs never accepted
it...

> > I also don't know what 
> > source4/heimdal/lib/krb5/mcache.c anonymous resolving
> > is for or fixes.  Can you shed some light on this?
> 
> This needed in order to have memory credential caches, which are not
> part of the global credential cache collection, but are still
> available
> to be opened by explicit name, which is the exact usage we need for
> any
> in memory caches.

Yeah, that's exactly how we use them.

> The whole global credential cache collection magic seems to be very
> dangerous
> for application like samba, which need to use kerberos on behalf of
> different unrelated identities.

Indeed.

> We already had very strange things happen with MIT, which where very
> hard to debug,
> setenv("KRB5CCNAME", "MEMORY:libads", 1) completely ignores the
> ':libads' part!
> It always iterates over *all* caches with a "MEMORY:" prefix and use
> the first cache
> that has a tgt in the used realm, which may means we authenticate as
> a completely
> unexpected user (maybe administrator), while we want to do an LDAP
> operation
> on behalf of the local machine account.

Yikes!  I'm still lost about what the patch is, but now I know this
much I'll be sure not to drop it! 

If you could tidy up and submit upstream that would be awesome.  I
submitted a lot of your work up already, but I don't think I can
explain the code enough for this one, it still confuses me.

Thanks so much!

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba-technical mailing list