krb524d and KRB524_KRB4_DISABLED

John Hascall john at iastate.edu
Wed Oct 17 12:26:27 EDT 2007


> John Hascall wrote:
> > As a part of our seemingly endless path to
> > eliminating KRB4 I was thinking I'd like
> > to replace or modify krb524d to just log
> > the request and always return an error
> > (KRB524_KRB4_DISABLED seems ideal, but as
> > near as I can tell it only is used in the
> > client code).  Has anyone gone down this
> > path before?

> I think that is reasonable.  The clients already have to expect to
> receive that value if the library was built without 524 support.
> Jeffrey Altman

I tried it, and alas, it appears that (at least some old) clients die
ugly when they get a krb5_error_code that they do not know:

% kinit
Password for john at IASTATE.EDU: 
kinit(v524): Segmentation fault

>  0 __memccpy(0x3ff800daac0, 0x14000b60a, 0x3ffc0080310, 0x3ffc0091338,
     0xffffffffffffffff) [0x3ff800d91fc]
   1 fputs(0x11ffff4d0, 0x140058bc8, 0x140058ba8, 0x140040a18, 0x100000000)
     [0x3ff800da9f8]
   2 default_com_err_proc(whoami = 0x140012140 = "kinit(v524)",
     code = -1750206200, fmt = 0x140000970 = "converting to V4 credentials",
     ap = struct {
       _a0 = 0x11fffee00
       _offset = 24
     }) ["com_err.c":87, 0x1200720cc]
   3 com_err_va(whoami = 0x140012140 = "kinit(v524)", code = -1750206200,
     fmt = 0x140000970 = "converting to V4 credentials",
     ap = struct {
       _a0 = 0x11fffee00
       _offset = 24
     }) ["com_err.c":108, 0x120072264]
   4 com_err(whoami = 0x140012140 = "kinit(v524)", code = -1750206200,
     fmt = 0x140000970 = "converting to V4 credentials")
     ["com_err.c":133, 0x120072318]
   5 try_convert524(k5 = 0x11ffff4d0) ["kinit.c":1026, 0x1200139b4]
   6 main(argc = 1, argv = 0x11ffff668) ["kinit.c":1114, 0x120013dc8]
(dbx) 

This kinit was compiled against krb5-1.2.6 which seems to know only
codes -1750206208 .. -1750206201 and not -1750206200[KRB524_KRB4_DISABLED]


John



More information about the Kerberos mailing list