[2772] in Kerberos-V5-bugs
krb5-kdc/459: Using hierarchial cross-realm breaks getting service principals
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Mon Aug 11 14:33:07 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, kenh@cmf.nrl.navy.mil
Date: Mon, 11 Aug 1997 14:30:22 -0400 (EDT)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
>Number: 459
>Category: krb5-kdc
>Synopsis: The KDC will return a cross-realm ticket when it shouldn't
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Aug 11 14:31:02 EDT 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Navel Research Lab
>Release: 1.0pl1
>Environment:
System: SunOS elvis 4.1.4 4 sun4c
Architecture: sun4
>Description:
If the KDC gets a TGS request for a principal that is unknown, it will
try to return the closest tgt available for that realm.
However, this is done for requests for tickets that are NOT tgt tickets.
Normally, this is never noticed. However, we just addded a cross-realm
ticket for the NRL.NAVY.MIL realm, and all of a sudden things started
failing with "KDC response was modified".
It turned out that on a few hosts, we hadn't placed host keys on yet (for
a variety of technical and/or political reasons). So when the clients
would try to get a ticket for "host/foo.cmf.nrl.navy.mil@CMF.NRL.NAVY.MIL"
they would instead get back a ticket for "krbtgt/NRL.NAVY.MIL@CMF.NRL.NAVY.MIL"
which would result in the above error.
I think this is wrong, and I think the KDC should only send back the "closest"
krbtgt ticket if the request is for a krbtgt ticket (but I believe this
behavior still breaks the 1.0pl1 client code, but that's a separate issue :-) )
>How-To-Repeat:
Create a cross-realm entry for the realm above you, and try to get a ticket
for a non-existant principal in your realm.
>Fix:
Apply the following patch:
Index: kdc/do_tgs_req.c
===================================================================
diff -u -r1.1.1.1 do_tgs_req.c
--- do_tgs_req.c 1997/06/02 21:54:07 1.1.1.1
+++ do_tgs_req.c 1997/08/09 04:50:10
@@ -162,7 +162,7 @@
* might be a request for a TGT for some other realm; we
* should do our best to find such a TGS in this db
*/
- if (firstpass && krb5_princ_size(kdc_context, request->server) == 2) {
+ if (firstpass && krb5_is_tgs_principal(request->server) == TRUE) {
krb5_data *server_1 = krb5_princ_component(kdc_context, request->server, 1);
krb5_data *tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
>Audit-Trail:
>Unformatted:
