[1477] in Kerberos-V5-bugs
Kerberos V5 beta5 / DCE interoperability problem
daemon@ATHENA.MIT.EDU (Doug Engert)
Thu Jun 15 09:22:53 1995
Date: Thu, 15 Jun 95 08:22:02 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <JOHNMA@SCO.COM>
Cc: <KRB5-BUGS@MIT.EDU>, <AUTHTF@ES.NET>
John,
We too are activly testing K5.5 and DCE interoperability! I found
the same bug you did in asn1_get.c and reported it to this list
on May 6. My diff was a little different, in that I called the
asn1buf_remains routine, much like the K5.4.x did.
(MIT has Web page of all the mail sent to krb5-bugs, but I have
never seen any reference to it stating what its official acess
polices are.)
I have since been able to get forwarded credentials, for a DCE
Security server, and use these to get AFS tokens, and to logon to
other systems.
There is a still a problem with some DCE security servers which
can effect the DCE interoperability. This is the "flags" problem
which Joe Ramus referred to in his note to you. The problem is
fixed in the OSF 1.1 release, and Sandia reports that it is also
fixed in the HP 1.0.3 release. I am using the Transarc 1.0.3a
release on Solaris 2.3. They provided a new libdce.a with the
fix, but I have not heard if they have the fix for Solaris 2.4.
The IBM AIX DCE clients appear to still have the problem, since I
have an AIX 3.2.5 and its kinit -f does not work correctly. (I
have not gone looking for the fixes from IBM yet.)
There are three other problems with using forwarded credentials
and DCE:
o All the lib routines which reference CLEANUP_PUSH should not
pass the pointer to a pointer, but rather the pointer. Remove
the & on all the references.
o You may need a change to the decode_kdc.c to check the etype,
since if you use the DCE dce_login then a K5.5 client, they
may use different etypes.
o The rd_cred.c at line 173 needs krb5_free_data(context,
pdata); replaced with krb5_xfree(pdata);
All of the above have been reported to MIT. You can find a copy
off all my diffs at
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/....
I also say some notes from you on building the Windows libs. I
have not done this, but am very interested. I have not seen any
other mail about problems with this, so you may be breaking new
ground. Keep us informed.
The Kerberos RFC suggests that the realm name should be upper
case. DCE says the cell name should be lower case, and I think it
enforces it. So if you want to use DCE and K5.5, you need a lower
case name. The only place in K5 that I have seen any case
conversion is when trying to derive the realm name from the DNS
domain name, if it can't be found in the krb5.conf
domain_realmY
section. Don't hold me to this, but with our tests we are using a
lower case realm.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
