probem with SALT_TYPE_AFS_LENGTH or "Password incorrect while getting initial credentials"
Mike Becher
Mike.Becher at lrz-muenchen.de
Tue Jun 26 06:58:52 EDT 2007
Hi *,
I've compiled and installed krb5-1.6.1 on different platforms (i586, ia64,
and x86_64) on our Linux cluster. On i586 and x86_64 it works from the
scratch. But on Linux ia64 it doesn't work. If I use the original version
I get always
mibe at lxia64: kinit
kinit(v5): Password incorrect while getting initial credentials
so I've done some debugging. It seems so that ia64 doesn't initialize
heap memory. But i586 and x86_64 does. Normally this should not be
problematic but when you use the special case with SALT_TYPE_AFS_LENGTH
then this depends on the string length of that salt. The value of
SALT_TYPE_AFS_LENGTH is -1 and in my case the salt is "lrz-muenchen.de"
which results in a string length of 15.
To make the strlen calculation reliable there must be a '\0' at the end of
the string. On ia64 platform this won't work correctly. So I have included
one patch "krb5-1.6.1-copy_data.dif" to fix this for functions
`krb5int_copy_data_contents()' and `krb5int_copy_data()'.
Here are my debugging protocoll. Our Linux cluster works in AFS cell
`lrz-muenchen.de' and our kerberos realm is `LRZ-MUENCHEN.DE'.
For the tests I use the libraries under /scratch/krb5-1.6.1/src/lib.
Here is the debugging code (fprintf(..)) which I have inserted into
`src/lib/krb5/krb/preauth2.c' to show the problem. This function will be
called by `kinit'.
root at lxia64:/scratch/krb5-1.6.1/src/lib: export LD_LIBRARY_PATH=$(pwd)
root at lxia64:/scratch/krb5-1.6.1/src/lib: vim ./krb5/krb/preauth2.c
569 static
570 krb5_error_code pa_salt(krb5_context context,
571 krb5_kdc_req *request,
572 krb5_pa_data *in_padata,
573 krb5_pa_data **out_padata,
574 krb5_data *salt, krb5_data *s2kparams,
575 krb5_enctype *etype,
576 krb5_keyblock *as_key,
577 krb5_prompter_fct prompter, void *prompter_data,
578 krb5_gic_get_as_key_fct gak_fct, void *gak_data)
579 {
580 krb5_data tmp;
581 char *p = in_padata->contents; /* only for testing */
582
583 tmp.data = in_padata->contents;
584 tmp.length = in_padata->length;
585
586 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
587 __FILE__, __LINE__,
588 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
589 (salt == NULL) ? -2 : salt->length,
590 tmp.data,
591 tmp.length
592 );
593 /* set this as string end marker, only for testing to see whats happen */
594 p[in_padata->length] = 0;
595
596 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
597 __FILE__, __LINE__,
598 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
599 (salt == NULL) ? -2 : salt->length,
600 tmp.data,
601 tmp.length
602 );
603
604 krb5_free_data_contents(context, salt);
605
606 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
607 __FILE__, __LINE__,
608 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
609 (salt == NULL) ? -2 : salt->length,
610 tmp.data,
611 tmp.length
612 );
613
614 krb5int_copy_data_contents(context, &tmp, salt);
615
616 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
617 __FILE__, __LINE__,
618 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
619 (salt == NULL) ? -2 : salt->length,
620 tmp.data,
621 tmp.length
622 );
623
624 if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT)
625 salt->length = SALT_TYPE_AFS_LENGTH;
626
627 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
628 __FILE__, __LINE__,
629 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
630 (salt == NULL) ? -2 : salt->length,
631 tmp.data,
632 tmp.length
633 );
634 return(0);
635 }
root at lxia64:/scratch/krb5-1.6.1/src/lib: make
root at lxia64:/scratch/krb5-1.6.1/src/lib: klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
The output on Linux ia64 host `lxia64' with the original krb5-1.6.1
version of code:
root at lxia64:/scratch/krb5-1.6.1/src/lib: ../clients/kinit/kinit mibe
f=preauth2.c l=592 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de " tl=15
f=preauth2.c l=602 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=612 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=622 >> salt="lrz-muenchen.de " sl=15 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=633 >> salt="lrz-muenchen.de " sl=-1 tmp="lrz-muenchen.de" tl=15
Password for mibe at LRZ-MUENCHEN.DE:
kinit(v5): Password incorrect while getting initial credentials
And there are no tickets:
root at lxia64:/scratch/krb5-1.6.1/src/lib: klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Now the patched version with the patch introduced in attachment does
this:
root at lxia64:/scratch/krb5-1.6.1/src/lib: pushd ../..
root at lxia64:/scratch/krb5-1.6.1/src/lib: patch -p1 < ../krb5-1.6.1-copy_data.dif
root at lxia64:/scratch/krb5-1.6.1/src/lib: popd
root at lxia64:/scratch/krb5-1.6.1/src/lib: make
root at lxia64:/scratch/krb5-1.6.1/src/lib: klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root at lxia64:/scratch/krb5-1.6.1/src/lib: ../clients/kinit/kinit mibe
f=preauth2.c l=592 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de " tl=15
f=preauth2.c l=602 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=612 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=622 >> salt="lrz-muenchen.de" sl=15 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=633 >> salt="lrz-muenchen.de" sl=-1 tmp="lrz-muenchen.de" tl=15
Password for mibe at LRZ-MUENCHEN.DE:
And now I got my tickets:
root at lxia64:/scratch/krb5-1.6.1/src/lib: klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mibe at LRZ-MUENCHEN.DE
Valid starting Expires Service principal
06/26/07 08:11:03 06/29/07 08:11:03 krbtgt/LRZ-MUENCHEN.DE at LRZ-MUENCHEN.DE
renew until 07/02/07 08:11:03
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
For me it works now on all three platforms. Hope this patch helps. It
might be that there are some other places in code which relies on that
implicit logic.
cheers,
mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher at lrz-muenchen.de
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-35831-8721
Gruppe Hochleistungssysteme fax: +49-89-35831-9700
Boltzmannstrasse 1
D-85748 Garching bei Muenchen
Germany
-----------------------------------------------------------------------------
-------------- next part --------------
--- krb5-1.6.1/src/lib/krb5/krb/copy_data.c.orig 2007-06-26 07:36:23.135619000 +0200
+++ krb5-1.6.1/src/lib/krb5/krb/copy_data.c 2007-06-26 08:03:17.347749000 +0200
@@ -47,10 +47,11 @@
tempdata->length = indata->length;
if (tempdata->length) {
- if (!(tempdata->data = malloc(tempdata->length))) {
+ if (!(tempdata->data = malloc(tempdata->length + 1))) {
krb5_xfree(tempdata);
return ENOMEM;
}
+ memset((char *)tempdata->data, 0, tempdata->length + 1);
memcpy((char *)tempdata->data, (char *)indata->data, tempdata->length);
} else
tempdata->data = 0;
@@ -68,9 +69,10 @@
outdata->length = indata->length;
if (outdata->length) {
- if (!(outdata->data = malloc(outdata->length))) {
+ if (!(outdata->data = malloc(outdata->length + 1))) {
return ENOMEM;
}
+ memset((char *)outdata->data, 0, outdata->length + 1);
memcpy((char *)outdata->data, (char *)indata->data, outdata->length);
} else
outdata->data = 0;
More information about the Kerberos
mailing list