Crash in sendto_kdc.c

Mon Feb 12 23:44:57 EST 2018

Hi,

I have am developing an application for windows which does KCD.

I have compiled krb5 code for windows after checking out krb5-1.16 branch
and using those dlls in my application.

The flow is as follows:

1. Get the TGT for the service account.
2. Acquire impersonation token using GSS_API, this involves
calling gss_acquire_cred() and gss_acquire_cred_impersonate_name() in order
3. Get the token. The GSS api used for the same
are gss_init_sec_context(), gss_delete_sec_context()

The code works fine and generates token most of the time but once in a
while it crashes and the crash happens in library.

The detailed API calls are as follows (removed the error checking to keep
it short)

1. Get TGT code:-

krb5_context krb_context;
krb5_principal client_principal; //service account
krb5_creds creds;
krb5_keytab keytab;
krb5_ccache ccache;
krb5_init_context(&krb_context);
krb5_cc_default(krb_context, &ccache);
krb5_parse_name_flags(krb_context, service_un,
KRB5_PRINCIPAL_PARSE_ENTERPRISE | KRB5_PRINCIPAL_PARSE_REQUIRE_REALM,
&client_principal);
krb5_get_init_creds_password(krb_context, &creds, client_principal ,
service_password, NULL, NULL, 0, NULL, NULL);
krb5_cc_initialize(krb_context, ccache, client_principal);
krb5_cc_store_cred(krb_context, ccache, &creds);

2. Get Impersonation token

gss_buffer_desc buf;
gss_OID_set_desc mechs;
gss_buffer_desc user_cred_token;
user_cred_token.length = 0;
user_cred_token.value = NULL;

mechs.elements = (gss_OID)gss_mech_krb5;
mechs.count = 1;
gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
&mechs, &impersonator_cred_handle, NULL, NULL);
gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, user,
GSS_C_INDEFINITE, &mechs, GSS_C_INITIATE, &user_cred_handle, NULL, NULL);

3. Get token

gss_init_sec_context(&minor, user_cred_handle, &initiator_context,
TargetSpn, (gss_OID) gss_mech_krb5 ,
GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG,
GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER,
NULL, &token, NULL, &time_rec);
gss_delete_sec_context(&minor, &initiator_context, NULL);

As I mentioned above, this work wells for most of the time, except I see
crashes happening frequently when the process is serving token for multiple
users using the same service account.

The crash stack trace are as follows (yes, there are 2 crashes happening
at  gss_acquire_cred_impersonate_name and gss_init_sec_context )

service_tcp_write::sendto_kdc.c:1113 address::0x7446B388
service_dispatch::sendto_kdc.c:1064 address::0x7446CFF4
service_fds::sendto_kdc.c:1423 address::0x7446D638
k5_sendto::sendto_kdc.c:1518 address::0x74469FC8
krb5_sendto_kdc::sendto_kdc.c:507 address::0x744697C0
krb5_get_cred_via_tkt_ext::gc_via_tkt.c:377 address::0x74470350
krb5_get_self_cred_from_kdc::s4u_creds.c:586 address::0x744CDC14
krb5_get_credentials_for_user::s4u_creds.c:705 address::0x744CC734
kg_impersonate_name::s4u_gss_glue.c:77 address::0x74604850
krb5_gss_acquire_cred_impersonate_name::s4u_gss_glue.c:156
address::0x746042B4
gss_add_cred_impersonate_name::g_acquire_cred_imp_name.c:421
address::0x745E1B6C
gss_acquire_cred_impersonate_name::g_acquire_cred_imp_name.c:182
address::0x745E17A4

service_tcp_write::sendto_kdc.c:1113 address::0x7446B388
service_dispatch::sendto_kdc.c:1064 address::0x7446CFF4
service_fds::sendto_kdc.c:1423 address::0x7446D638
k5_sendto::sendto_kdc.c:1518 address::0x74469FC8
krb5_sendto_kdc::sendto_kdc.c:507 address::0x744697C0
krb5_tkt_creds_get::get_creds.c:1194 address::0x744627C8
krb5_get_credentials::get_creds.c:1272 address::0x74462488
get_credentials::init_sec_context.c:196 address::0x745F6FF4
kg_new_connection::init_sec_context.c:587 address::0x745F7CE4
krb5_gss_init_sec_context_ext::init_sec_context.c:987 address::0x745F6944
krb5_gss_init_sec_context::init_sec_context.c:1103 address::0x745F6868
gss_init_sec_context::g_init_sec_context.c:215 address::0x745D8B50

Any help in this is highly appreciated and please let me know if anything
is missing and I would be happy to provide more details.

Puran