[39480] in Kerberos
Re: macOS API ccache,
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Mon Feb 17 21:41:38 2025
Message-Id: <202502180236.51I2a87U001062@hedwig.cmf.nrl.navy.mil>
To: "A. Karl Kornel" <karl@kornel.us>
cc: kerberos@mit.edu
In-Reply-To: <202502180109.51I19a6e000393@hedwig.cmf.nrl.navy.mil>
MIME-Version: 1.0
Date: Mon, 17 Feb 2025 21:36:07 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Thanks for digging into this!
>
>>* cc_context_create_new_ccache returned 2529639136. There we go.
Following up to myself ... I realized this actually might be a krb5
error code in unsigned form. 2529639136 is -1765328160 as a signed 32
bit integer, and THAT is:
% find . -type f -print0 | xargs -0 grep -- -1765328160
./MITKerberosShim-MITKerberosShim-87/Kerberos/krb5.h:#define KRB5_CONFIG_NODEFREALM (-1765328160L)
There's a few spots that might actually return that:
% find . -type f -print0 | xargs -0 grep KRB5_CONFIG_NODEFREALM
./Heimdal-Heimdal-693.60.3/lib/krb5/krb5_err.et:error_code KRB5_CONFIG_NODEFREALM, "Configuration file does not specify default realm"
./Heimdal-Heimdal-693.60.3/lib/krb5/get_default_realm.c: return KRB5_CONFIG_NODEFREALM;
./Heimdal-Heimdal-693.60.3/lib/krb5/get_default_realm.c: krb5_set_error_message(context, KRB5_CONFIG_NODEFREALM,
./Heimdal-Heimdal-693.60.3/lib/krb5/get_default_realm.c: return KRB5_CONFIG_NODEFREALM;
./Heimdal-Heimdal-693.60.3/lib/krb5/verify_user.c: ret = KRB5_CONFIG_NODEFREALM;
First, do you have a default_realm set in /etc/krb5.conf ? Maybe that
would fix it, and that would explain why it works for me.
In api_macos_gen_new(), we call cc_context_create_new_ccache() with:
err = cc_context_create_new_ccache(cc_context, cc_credentials_v5, "",
&cc_ccache);
The third argument is supposed to be the principal name, and I thought
"" was valid, but maybe technically it isn't, especially if you don't
have a principal name defined?
What to put in there is a bit of a puzzle, as in that API call we don't
have access to a principal name. I suspect anything that looks like
a valid Kerberos principal would work fine. Might have to look at
what others do in this situation.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
