[2866] in Kerberos-V5-bugs
krb5-kdc/537: Multi realm support does not work for V4 compatibility tickets
daemon@ATHENA.MIT.EDU (Tony Mione)
Mon Jan 26 15:26:33 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, mione@boeing.rutgers.edu
Date: Mon, 26 Jan 1998 15:25:05 -0500 (EST)
From: Tony Mione <mione@boeing.rutgers.edu>
Reply-To: mione@boeing.rutgers.edu
To: krb5-bugs@MIT.EDU
>Number: 537
>Category: krb5-kdc
>Synopsis: Multi realm support does not work for V4 compatibility tickets
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jan 26 15:26:01 EST 1998
>Last-Modified:
>Originator: Tony Mione
>Organization:
Tony Mione, RUCS/NS, Rutgers University, Hill 055, Piscataway,NJ - 732-445-0650
mione@nbcs-ns.rutgers.edu W3: http://www-ns.rutgers.edu/~mione/
PGP Fingerprint : E2 25 2C CD 28 73 3C 5B 0B 91 8A 4E 22 BA FA 9F
Editorial Advisor for Digital Systems Report ***** Important: John 17:3 *****
>Release: 1.0pl4
>Environment:
System: SunOS boeing.rutgers.edu 5.5.1 Generic_103640-05 sun4u sparc SUNW,Ultra-1
Architecture: sun4
>Description:
When using a kdc for more than one realm, the kdc searches the
wrong database for principals in a V4 request. It searches the
database from the realm referenced in the previous V5 request.
>How-To-Repeat:
Build kerberos with V4 compatibility support
(KRB5_KRB4_COMPAT). Set up 2 realms and create a couple principals in each
realm (do not create the same principal(s) for each realm). Now request a
V5 ticket with kinit. Then request a V4 ticket using a test client that
only requests V4 tickets (calls krb_get_in_tkt(), not
krb5_get_in_tkt_with_password(), etc).
If the same principal exists in both realms (but the passwords are
different), you should recieve a BAD_INTEGRITY return. If the same principal is
not in both realms, you should get KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
>Fix:
Patch dispatch.c to set up the realm context variable
(kdc_active_realm) before calling process_v4(). In kerberos_v4.c, do not
check local_realm in process_v4. Always reset it from
master_princ->realm.data.
=================================CUT HERE================================
*** dispatch.c 1997/12/27 01:39:37 1.1
--- dispatch.c 1997/12/27 01:48:05
***************
*** 29,34 ****
--- 29,42 ----
#include "extern.h"
#include "adm_proto.h"
+ /* Need these for realm setup later /ANM */
+ #ifdef KRB5_KRB4_COMPAT
+ #include <kerberosIV/krb.h>
+ #include <kerberosIV/prot.h>
+
+ extern kdc_realm_t *find_realm_data( char *, krb5_ui_4 );
+ #endif
+
krb5_error_code
dispatch(pkt, from, portnum, response)
krb5_data *pkt;
***************
*** 65,72 ****
}
}
#ifdef KRB5_KRB4_COMPAT
! else if (pkt->data[0] == 4) /* old version */
! retval = process_v4(pkt, from, portnum, response);
#endif
else
retval = KRB5KRB_AP_ERR_MSG_TYPE;
--- 73,102 ----
}
}
#ifdef KRB5_KRB4_COMPAT
! else if (pkt->data[0] == 4) { /* old version */
! char realm_name[1024];
! kdc_realm_t *newrealm;
! KTEXT_ST v4_pkt;
! KTEXT_ST *v4p_pkt;
!
! /*
! * Build a v4 style packet. Grab the realm name.
! * Then use find_realm_data to get the correct realm information
! * structure. Finally, that is the value to which we should set
! * kdc_active_realm. This will allow process_v4 to find the
! * correct realm info.
! */
! v4_pkt.length = pkt->length;
! memcpy( v4_pkt.dat, pkt->data, pkt->length);
! v4p_pkt = &v4_pkt;
! strcpy ( realm_name, (char *) pkt_a_realm ( v4p_pkt ) );
! newrealm = find_realm_data (realm_name, (krb5_ui_4) strlen ( realm_name ) );
! if ( newrealm ) {
! kdc_active_realm = newrealm;
! }
!
! retval = process_v4(pkt, from, portnum, response);
! }
#endif
else
retval = KRB5KRB_AP_ERR_MSG_TYPE;
***************
*** 76,78 ****
--- 106,109 ----
return retval;
}
+
=================================CUT HERE================================
*** kerberos_v4.c 1997/12/27 01:33:41 1.1
--- kerberos_v4.c 1997/12/27 01:36:00
***************
*** 171,184 ****
--- 171,193 ----
if ((retval = krb5_timeofday(kdc_context, (krb5_timestamp *) &kerb_time.tv_sec)))
return(retval);
+ /*
+ * Do this (set local_realm) each time (not just the first time)
+ * so we have the correct realm info with which to process
+ * the request. /ANM 26-Dec-1997
+ */
+ #if 0
if (!*local_realm) { /* local-realm name already set up */
/* XXX assumes realm is null-terminated! */
+ #endif
lrealm = master_princ->realm.data;
if (strlen(lrealm) < sizeof(local_realm))
strcpy(local_realm, lrealm);
else
retval = KRB5_CONFIG_NOTENUFSPACE;
+ #if 0
}
+ #endif
/* convert client_fulladdr to client_sockaddr:
*/
client_sockaddr.sin_family = AF_INET;
=================================CUT HERE================================
>Audit-Trail:
>Unformatted:
