[7688] in Kerberos
Re: krb5kdc crashes with HPUX
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sun Jul 28 11:35:56 1996
To: Sam Hartman <hartmans@MIT.EDU>
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "27 Jul 1996 19:49:52 EDT."
<tsl4tmt5k9r.fsf@tertius.mit.edu>
Date: Sun, 28 Jul 1996 02:41:38 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
> I don't know if you can get around the crashes, because I
>don't know what's causing them; we're certainly interesting in fixing
>the problem and working with you to isolate it.
Ah, I see what's happening. In some cases the KDC doesn't properly
check to see if a requested principal actually exists in the database
before it tries using it. If you don't have the principals set up
correctly for cross-realm, for example, this will happen. I would
guess that if you tried forwarding a ticket between your two realms
(ie, telnet -f), you would discover the KDC would core dump as well
(I'm guessing that because that's what happened to me :-) ).
Here's a patch that fixes this. I'm not sure if it's more proper for
the db routines to return an error if the entry isn't found.
--- src/lib/kdb/keytab.c.orig Sun Jul 28 02:20:53 1996
+++ src/lib/kdb/keytab.c Sun Jul 28 02:30:31 1996
@@ -109,6 +109,12 @@
return(kerror);
}
+ /* If we didn't find anything, return now */
+ if (n < 1) {
+ krb5_dbm_db_close_database(context);
+ return KRB5_KDB_NOENTRY;
+ }
+
/* match key */
krb5_dbm_db_get_mkey(context, id->ops, &master_key);
krb5_dbe_find_enctype(context, &db_entry, enctype, -1, kvno, &key_data);
>realms. It is important that the keys be the same, which means that
>the passwords need to be the same, and the salt type used to create
>the keys may need to be a no-realm salt. (Off the top of my head, I
>can't think of a good reason to require this if the code is
>implemented sanely, but the KDC might do something stupid like use
>the default realm as the salt instead of the realm of the principal.
>I'll play around with this today)
FWIW, once I set up cross-realm principals correctly, I was able to use v5
salt types without any problems. So I would gather this isn't an issue.
--Ken
