Different Heimdal/MIT behaviour of krb5_get_credentials ?

Markus Moeller huaraz at moeller.plus.com
Sun Jun 3 15:32:20 EDT 2007 

I tried to run the below test (KRB5_NT_UNKNOWN in krb5_sname_to_principal) 
on OpenSolaris and it fails with
Not enough space while getting credentials

I traced it to krb5_copy_keyblock_data at:

if ((to->contents == NULL || from->contents == NULL) &&
                from->length > 0)
 return (ENOMEM);

It is a bug as to->contents need to be allocated first like:
        if (!(to->contents = (krb5_octet *)malloc(from->length))) {
                krb5_xfree(to);
                return(ENOMEM);
        }

krb5-config --version
Solaris Kerberos (based on MIT Kerberos 5 release 1.4.0)
sayd it is based on MIT 1.4.0, but MIT 1.4 does not have this error.  Does 
anybody know on which release the OpenSolaris version is based on ?

Thanks
Markus


"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:f3n3ug$i6$1 at sea.gmane.org...
>I have a AD forest with MM.COM with domains DOM1.MM.COM,DOM2.MM.COM and 
>SUB.DOM2.MM.COM which all trust each other. To test the availability of 
>service tickets I created the following short program:
>
> #include <string.h>
> #include <stdio.h>
> #include <krb5.h>
> #ifndef HEIMDAL
> #include <com_err.h>
> #endif
>
> int main(int argc, char **argv) {
> krb5_creds creds;
> krb5_creds * new_creds = 0;
> krb5_error_code kret;
> krb5_ccache ccache;
> krb5_context kcontext = 0;
> char* hostname,*service;
>
> if (argc<3) {
> fprintf(stderr, "Usage: %s hostname service [enctype]\n",argv[0]);
> return(1);
> }
>
> hostname = strdup(argv[1]);
> service = strdup(argv[2]);
>
> kret = krb5_init_context(&kcontext);
> if (kret) {
> com_err(argv[0], kret,"while initialising context");
> return(-1);
> }
>
> if ((kret = krb5_cc_default(kcontext, &ccache))) {
> com_err(argv[0], kret,"while initialising ccache");
> return(-1);
> }
>
> memset((char *)&creds, 0, sizeof(creds));
>
> if ((kret = krb5_sname_to_principal(kcontext, hostname,service, 
> KRB5_NT_SRV_HST,&creds.server))) {
> com_err(argv[0], kret,"while initialising server creds");
> return(-1);
> }
>
> if ((kret = krb5_cc_get_principal(kcontext, ccache,&creds.client))) {
> krb5_free_cred_contents(kcontext, &creds);
> com_err(argv[0], kret,"while reading principal from ccache");
> return(-1);
> }
>
> #ifdef HEIMDAL
> creds.session.keytype=ENCTYPE_DES_CBC_MD5;
> if (argc == 4) {
> creds.session.keytype=atoi(argv[3]);
> }
> #else
> creds.keyblock.enctype=ENCTYPE_DES_CBC_MD5;
> if (argc == 4) {
> creds.keyblock.enctype=atoi(argv[3]);
> }
> #endif
>
> if ((kret = krb5_get_credentials(kcontext, 0,ccache, &creds, &new_creds))) 
> {
> krb5_free_cred_contents(kcontext, &creds);
> com_err(argv[0], kret,"while getting credentials");
> return(-1);
> }
> }
>
> Now I try to get a  krbtgt ticket for SUB.DOM2.MM.COM as user 
> markus at DOM1.MM.COM
> With Heimdal it works fine and I get the list of intermediate tickets, but 
> when I use MIT I get an error message:
>
> Server not found in Kerberos database while getting credentials
>
> Does the MIT code canonicalise the name in creds.server principal ?
>
> Thanks
> Markus
> # kinit
> markus at DOM1.MM.COM's Password:
> Your password/account will expire at Sun Jun  3 00:50:39 2007
>
> kinit: NOTICE: ticket renewable lifetime is 1 week
> # ./get_service_ticket SUB.DOM2.MM.COM krbtgt
> # klist -v
> Credentials cache: FILE:/tmp/krb5cc_75228
>        Principal: markus at DOM1.MM.COM
>    Cache version: 4
>
> Server: krbtgt/DOM1.MM.COM at DOM1.MM.COM
> Ticket etype: arcfour-hmac-md5, kvno 1
> Auth time:  May 31 14:32:06 2007
> End time:   Jun  1 00:32:06 2007
> Renew till: Jun  7 14:32:06 2007
> Ticket flags: renewable, initial, pre-authenticated
> Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1
>
> Server: krbtgt/MM.COM at DOM1.MM.COM
> Ticket etype: arcfour-hmac-md5
> Auth time:  May 31 14:32:06 2007
> Start time: May 31 14:32:14 2007
> End time:   Jun  1 00:32:06 2007
> Ticket flags: pre-authenticated, ok-as-delegate
> Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1
>
> Server: krbtgt/DOM2.MM.COM at MM.COM
> Ticket etype: arcfour-hmac-md5
> Auth time:  May 31 14:32:06 2007
> Start time: May 31 14:32:14 2007
> End time:   Jun  1 00:32:06 2007
> Ticket flags: pre-authenticated, ok-as-delegate
> Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1
>
> Server: krbtgt/SUB.DOM2.MM.COM at DOM2.MM.COM
> Ticket etype: arcfour-hmac-md5
> Auth time:  May 31 14:32:06 2007
> Start time: May 31 14:32:14 2007
> End time:   Jun  1 00:32:06 2007
> Ticket flags: pre-authenticated, ok-as-delegate
> Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1
>
> Server: krbtgt/sub.dom2.mm.com at SUB.DOM2.MM.COM
> Ticket etype: des-cbc-md5, kvno 1
> Auth time:  May 31 14:32:06 2007
> Start time: May 31 14:32:15 2007
> End time:   Jun  1 00:32:06 2007
> Ticket flags: pre-authenticated
> Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1
>
> # kinit
> markus at DOM1.MM.COM's Password:
> Your password/account will expire at Sun Jun  3 00:50:39 2007
>
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> # ./get_service_ticket_mit SUB.DOM2.MM.COM krbtgt
> ./get_service_ticket_mit: Server not found in Kerberos database while 
> getting credentials
> # klist -e
> Ticket cache: FILE:/tmp/krb5cc_75228
> Default principal: markus at DOM1.MM.COM
>
> Valid starting     Expires            Service principal
> 05/31/07 12:46:31  05/31/07 22:46:31  krbtgt/DOM1.MM.COM at DOM1.MM.COM
>        renew until 06/07/07 12:46:31, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
>
>
>
>
>

More information about the Kerberos mailing list