[33441] in Kerberos
Re: unwanted KRB5_GET_INIT_CREDS_OPT_CANONICALIZE flags -> INVALID
daemon@ATHENA.MIT.EDU (Marc W. Mengel)
Fri Jun 3 11:18:04 2011
Message-ID: <4DE8F5CF.1050504@fnal.gov>
Date: Fri, 03 Jun 2011 09:55:11 -0500
From: "Marc W. Mengel" <mengel@fnal.gov>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <1307063212.2281.14.camel@t410>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ahh, thank you for pointing me up the right tree :-)... and especially
for commiting the patch.
We may indeed have to try to breach the SEP field around our KDC setup...
On 06/02/2011 08:06 PM, Greg Hudson wrote:
> On Thu, 2011-06-02 at 17:29 -0400, Marc W. Mengel wrote:
>> but when you go to request a ticket for a specific
>> host, it looks like in s4u_identify_user()
>> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/s4u_creds.c#102)
>> the options are set to have canonicalize true, and then later in
>> krb5_init_creds_init()
>> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/get_in_tkt.c#868)
>> if its already set to true, any options in the krb5.conf in the realm
>> or what have you are ignored, because they are only checked if the
>> options word has the flag turned off.
>
> Neither of these functions is used in the TGS request path. What
> actually happened was a change in the fallback behavior when get_creds.c
> was rewritten for 1.9. Previously, we would retry without the
> canonicalize bit set any time we got an error from our first referral
> request, but in 1.9 we only retry if we would be doing so in a different
> realm.
>
> The old fallback behavior will be restored in 1.9.2 (I just committed
> the patch), but depending on your deployment scenario, it may be easier
> to work around this problem by patching the KDC. It would be a very
> simple patch to validate_tgs_request() in kdc_util.c.
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
