automatic domain_realm mapping broken in 1.6?

Michael Weiser michael at weiser.dinsnail.net
Wed Jul 18 13:49:31 EDT 2007 

Hi there,

I've got krb5-1.6.1 compiled and installed on Mac OS X 10.4.10, Solaris
9 SPARC32 and Solaris 10 SPARC64. On all of them it reproduceably shows
the following behaviour:

[michael at sol10 ~]$ /usr/local/bin/kinit
Password for michael at EXAMPLE.ORG: 
[michael at sol10 ~]$ /usr/local/bin/klist
Ticket cache: FILE:/tmp/krb5cc_500_OOSMW13437
Default principal: michael at EXAMPLE.ORG

Valid starting     Expires            Service principal
07/18/07 19:17:01  07/19/07 05:17:01 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
        renew until 07/19/07 19:16:58

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

[michael at sol10 ~]$ ssh sol9
Last login: Wed Jul 18 19:17:15 2007 from sol10.example.org
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002

[michael at sol9 ~]$ logout
Connection to sol9 closed.

[michael at sol10 ~]$ /usr/local/bin/klist
Ticket cache: FILE:/tmp/krb5cc_500_OOSMW13437
Default principal: michael at EXAMPLE.ORG

Valid starting     Expires            Service principal
07/18/07 19:17:01  07/19/07 05:17:01 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
        renew until 07/19/07 19:16:58
07/18/07 19:17:14  07/19/07 05:17:01  host/sol9.example.org@
        renew until 07/19/07 19:16:58

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

Note the missing realm in the above host ticket for sol9. The
krb5.conf looks like this:

[libdefaults]
        default_realm = EXAMPLE.ORG

[realms]
        EXAMPLE.ORG = {
                kdc = kdc.example.org
                admin_server = kdc.example.org
                kpasswd_server = kdc.example.org
        }

[domain_realm]
        irix.example.com = EXAMPLE.ORG

As soon as I add

        .example.org = EXAMPLE.ORG

to [domain_realm], the following happens:

[michael at sol10 ~]$ ssh sol9
Last login: Wed Jul 18 19:17:48 2007 from sol10.example.org
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002

[michael at sol9 ~]$ logout
Connection to sol9 closed.

[michael at sol10 ~]$ /usr/local/bin/klist
Ticket cache: FILE:/tmp/krb5cc_500_OOSMW13437
Default principal: michael at EXAMPLE.ORG

Valid starting     Expires            Service principal
07/18/07 19:17:01  07/19/07 05:17:01 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
        renew until 07/19/07 19:16:58
07/18/07 19:17:14  07/19/07 05:17:01  host/sol9.example.org@
        renew until 07/19/07 19:16:58
07/18/07 19:17:46  07/19/07 05:17:01 host/sol9.example.org at EXAMPLE.ORG
        renew until 07/19/07 19:16:58

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

Note the now present realm in the new host ticket for sol9.

Also, to make the kerberised logon work at all I have to add the same
[domain_realm] entry to krb5.conf on the server. Otherwise sshd says:

Jul 18 19:12:35 sol9.example.org sshd[8107]: [ID 800047
auth.error] error: channel 0: chan_read_failed for istate 3

With -d -d -d -e it says:

debug1: Unspecified GSS failure.  Minor code may provide more
information
Wrong principal in request

debug1: Got no client credentials

The ssh in question is OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007. I've
seen similar behaviour with a openldap-2.3.36. I've seen it with a 1.5
and a 1.6.1 KDC.

The KDC logs the ticket requests including the correct realm and
ethereal shows all realm fields present and with correct values in AS_REQ,
AS_REP, TGS_REQ and TGS_REP.

I've done some gdb'ing and it seems to me as if the function
krb5-1.6.1/src/lib/krb5/os/hst_realm.c:krb5_get_host_realm should
implement using the domain part of the fqdn as a fallback for the realm
name but doesn't. This seems to make the realm be empty when saving a
ticket to the client's ticket cache.

Any hints on this one?
-- 
bye, Micha

More information about the Kerberos mailing list