[3067] in Kerberos-V5-bugs
Re: krb5-libs/710: Multi-realm bug in lib/krb4/decomp_tkt.c
daemon@ATHENA.MIT.EDU (Booker Bense)
Thu Apr 8 14:21:09 1999
Date: Thu, 8 Apr 1999 11:20:54 -0700 (PDT)
From: Booker Bense <bbense@networking.stanford.edu>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, krb5-unassigned@RT-11.MIT.EDU,
gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
In-Reply-To: <199904081746.NAA07694@dcl>
On Thu, 8 Apr 1999, Theodore Y. Ts'o wrote:
> Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
> From: bbense@stanford.edu
>
> >Description:
> A library compiled on one realm will not work on another realm
> if the realm field is missing from the ticket.
> >How-To-Repeat:
> Build a kadmind to serve one realm with libkrb4 compiled with
> a different default realm.
>
> So exactly when does this happen?? I assume this is with a V4 kadmind,
> but it doesn't seem to refer to the default realm unless it can't find
> the local realm, and I can't see how that would cause the client realm
> to be NULL in the ticket in any case.
>
> That code was there only for backwards compatibility with very old
> Kerberos V4 servers that didn't fill in the client realm in the ticket,
> and that shouldn't apply to any modern systems.
>
- Well, I guess you can put KAS (ie. AFS's kerberos V4 server in
that class of very old servers ). If I recall correctly from the
first time I ran across this it only occurs with service tickets
that you get directly, not with a tgt (i.e. changepw.kerberos is set
NOSEAL ).
- This bug has bitten me twice, the first time it took a week to
figure out, the second time only a day. So I thought I'd send in the
patch. It seems to me to be the right thing to do, but I'm not going
to argue about it.
- IMHO, KRB_REALM should only be used in krb_get_lrealm, otherwise
what's the point of krb_get_lrealm. I note that it also appears
in
./appl/bsd/login.c
./kadmin/v4server/acl_files.c
But at least these attempt krb_get_lrealm first. Perhaps that's
what decomp_tkt.c should do.
- Booker C. Bense
