MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2

Mark R Bannister mark at proseconsulting.co.uk
Mon Nov 14 08:04:00 EST 2011


On 11/09/2011 02:50 PM, Greg Hudson wrote:
> On 11/09/2011 08:40 AM, Mark R Bannister wrote:
> > This implies to me that Windows 2003 R2 has a bug.  It ought to be ignoring bit
> > 15 in a TGS-REQ, but this would not appear to be the case.
> 
> The canonicalize bit is still meaningful for TGS requests; see section 8
> on server referrals.  The text you quoted is about alias
> canonicalization, not referrals to another realm.

I'm not sure section 8 applies in this case, there should be no referral as
there's only one realm in play here.

> > However, what's the rationale for the change in behaviour to MIT Kerberos v5? 
> > Why is MIT Kerberos now setting KDC option bit 15 on a TGS-REQ for a changepw? 
> > Evidence shows that previous versions did not set this bit.
> 
> Starting with version 1.6, we set the canonicalize bit on TGS requests
> in order to support server referrals to other realms.  In many error
> cases, we fall back to a request without the canonicalize bit; there is
> a bug in 1.9 and 1.9.1 (fixed in 1.9.2, which was issued very recently)
> which reduces the number of cases where we make that fallback.  I'm
> guessing that bug is the source of your problems:
> 
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=6917&user=guest&pass=guest
> 
> although the situation in your case seems to be more complicated.

I've installed v1.9.2 from
http://buildfarm.opencsw.org/experimental.html#kerberos and re-tested.  I get
exactly the same problem:

# /usr/local/sbin/msktutil -c --delegation --user-creds-only -k /etc/krb5/krb5.keytab
No computer account for myhost found, creating a new one.
dn: cn=myhost,CN=Computers,DC=mytest,DC=net
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for
requested realm)
Error: set_password failed

# ldd /usr/local/sbin/msktutil | grep libkrb5.so
        libkrb5.so.3 =>  /opt/csw/lib/libkrb5.so.3

# /usr/ccs/bin/nm /opt/csw/lib/libkrb5.so.3 | grep using_ccache
[2392]  |    473956|     225|FUNC |GLOB |0    |12     |krb5_set_password_using_ccache

# grep /opt/csw/lib/libkrb5.so.3 /var/sadm/install/contents
/opt/csw/lib/libkrb5.so.3=libkrb5.so.3.3 s none CSWlibkrb5-3
/opt/csw/lib/libkrb5.so.3.3 f none 0644 root bin 1523800 5740 1320859927 CSWlibkrb5-3

# pkgparam CSWlibkrb5-3 VERSION
1.9.2,REV=2011.11.09


Analysing network packets (captured with snoop, dumped with tshark) shows:

------------------------------------------------------------
Kerberos TGS-REQ
...
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
...
                Ticket
                    Tkt-vno: 5
                    Realm: MYTEST.NET
                    Server Name (Unknown): krbtgt/MYTEST.NET
                        Name-type: Unknown (0)
                        Name: krbtgt
                        Name: MYTEST.NET
...
    KDC_REQ_BODY
...
        KDCOptions: 40810000 (Forwardable, Renewable, Canonicalize)
...
        Realm: MYTEST.NET
        Server Name (Unknown): kadmin/changepw
            Name-type: Unknown (0)
            Name: kadmin
            Name: changepw
        till: 2011-11-14 22:26:31 (UTC)
------------------------------------------------------------
Kerberos TGS-REP
    Record Mark: 1306 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not set
        .000 0000 0000 0000 0000 0101 0001 1010 = Record Length: 1306
    Pvno: 5
    MSG Type: TGS-REP (13)
    Client Realm: MYTEST.NET
    Client Name (Principal): ldap
        Name-type: Principal (1)
        Name: ldap
    Ticket
        Tkt-vno: 5
        Realm: MYTEST.NET
        Server Name (Service and Instance): krbtgt/MYTEST.NET
            Name-type: Service and Instance (2)
            Name: krbtgt
            Name: MYTEST.NET
------------------------------------------------------------

So we provide a valid TGT for the MYTEST.NET realm, and request a kadmin/changepw
ticket in the same realm.  Instead of being given a kadmin/changepw ticket in the
response, we're being given another TGT for the same realm.

As I indicated at the start of this thread, if kdc option bit 15 (canonicalize)
is cleared everything works fine, as demonstrated using Kerberos libraries v1.4.4
on Solaris 10 (and v1.6.1 on RHEL 5.5).

It appears that this is a new bug...

Thanks,
Mark Bannister.







More information about the Kerberos mailing list