krb5 commit [krb5-1.12]: Log service princ in KDC more reliably
Tom Yu
tlyu at MIT.EDU
Wed Jan 8 22:30:37 EST 2014
https://github.com/krb5/krb5/commit/2eb5cc575aa08b0b4c233c55cf378a5637717a90
commit 2eb5cc575aa08b0b4c233c55cf378a5637717a90
Author: rbasch <probe at tardis.internal.bright-prospects.com>
Date: Mon Dec 16 10:54:41 2013 -0500
Log service princ in KDC more reliably
Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.
do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.
do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.
[tlyu at mit.edu: commit message; fix TGS to catch more error cases]
(cherry picked from commit f37067776f9431879769f3874fdab6120ba3f155)
ticket: 7802
src/kdc/do_as_req.c | 25 +++++++++++++------------
src/kdc/do_tgs_req.c | 5 +++++
2 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 268d4f4..95c3e23 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
limit_string(state->cname);
+ if (!state->request->server) {
+ state->status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto errout;
+ }
+ if ((errcode = krb5_unparse_name(kdc_context,
+ state->request->server,
+ &state->sname))) {
+ state->status = "UNPARSING_SERVER";
+ goto errout;
+ }
+ limit_string(state->sname);
+
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
@@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
au_state->stage = SRVC_PRINC;
- if (!state->request->server) {
- state->status = "NULL_SERVER";
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto errout;
- }
- if ((errcode = krb5_unparse_name(kdc_context,
- state->request->server,
- &state->sname))) {
- state->status = "UNPARSING_SERVER";
- goto errout;
- }
- limit_string(state->sname);
s_flags = 0;
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c12de2b..5cfe0b6 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -145,6 +145,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
+ /* Save pointer to client-requested service principal, in case of errors
+ * before a successful call to search_sprinc(). */
+ sprinc = request->server;
if (retval)
return retval;
if (request->msg_type != KRB5_TGS_REQ) {
@@ -202,6 +205,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
scratch.data = (char *) pa_tgs_req->contents;
errcode = kdc_find_fast(&request, &scratch, subkey,
header_ticket->enc_part2->session, state, NULL);
+ /* Reset sprinc because kdc_find_fast() can replace request. */
+ sprinc = request->server;
if (errcode !=0) {
status = "kdc_find_fast";
goto cleanup;
More information about the cvs-krb5
mailing list