[39481] in Kerberos
Re: macOS API ccache, kinit for multiple principals gives internal
daemon@ATHENA.MIT.EDU (A. Karl Kornel)
Tue Feb 18 14:05:26 2025
MIME-Version: 1.0
Date: Tue, 18 Feb 2025 11:05:10 -0800
From: "A. Karl Kornel" <karl@kornel.us>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
In-Reply-To: <202502180109.51I19a6e000393@hedwig.cmf.nrl.navy.mil>
Message-ID: <d168e8556609c8a469b3a9b8885a2c07@kornel.us>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 2025-02-17 05:09 PM, Ken Hornstein wrote:
> Thanks for digging into this!
You're welcome! It's been an interesting experience.
> <<<snip>>>
>> It took me some work, but I eventually realized that
>> cc_context_create_new_ccache wasn't an actual function, and was
>> resolving to the Kerberos Framework's context_create_new_ccache.
>
> Right, this is detailed in the header file; it's really this macro:
>
> #define cc_context_create_new_ccache(context, version,
> principal, ccache) \
> ((context) -> functions -> create_new_ccache (context, version,
> principal, ccache))
Yup, that's what I discovered.
> <<<snip>>>
> However, some suggestions here. You can get a fair amount of the
> source
> code for these pieces from opensource.apple.com (go under "View
> Releases").
> The latest OS release is 15.2, but it doesn't sound like there were
> changes that affected this behavior. You want the "Heimdal" and
> "MITKerberosShim" packages.
I had found the Heimdal software on
http://github.com/apple-oss-distributions/Heimdal. I did not think to
look for anything else, but indeed, there it is on GitHub at
https://github.com/apple-oss-distributions/MITKerberosShim.
> It looks like this is in the MITKerberosShim package, specifically
> ccache.c. And it looks like it calls the macro LOG_FAILURE(), which
> calls the function mshim_failure(), in misc.c. It looks like THAT
> might
> turn on logging if you create the preference file
When I was stepping through assembly, LLDB was able to give me symbol
names from the Frameworks, and I recognize `mshim_failure` in that list.
> /Library/Preferences/com.apple.MITKerberosShim
>
> and in it set "EnableDebugging" to "true" (looks like it logs via
> syslog()).
>
> Inside of context_create_new_ccache(), it calls:
>
> heim_krb5_parse_name
> heim_krb5_cc_new_unique
> heim_krb5_cc_initialize
>
> So one of those is failing and I think the log information will tell
> you
> which one. From THERE ... well, there's a lot of squinting at the
> source
> code and seeing which function you're in to try to determine what is
> happening. It looks like you're mostly in open-source bits so I think
> it is possible to get much closer to the issue.
Got it. I'll remember that, in case it's needed.
~ Karl
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
