[krbdev.mit.edu #8277] iprop can choose wrong realm
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Nov 23 12:01:39 EST 2015
The following parts of the code need to be modified to always use the
correct realm:
* kprop.c:get_tickets(), which currently uses sn2princ on the local
hostname, and substitutes the default realm (not the -r realm value)
if it gets back the referral realm. That function also uses sn2princ
on the server hostname, but ignores the realm as it is making an AS
request.
* kpropd.c:do_iprop(), which currently uses krb5_get_default_realm()
to look up the master service principal, ignoring the -r realm value.
It also uses sn2princ on the local hostname, substituting the default
realm (again, not the -r realm value) if it gets back the referral
realm.
* kpropd.c:parse_args(), which currently uses sn2princ on the local
hostname, and substitutes the -r realm value if given. If it gets
back the referral realm and no -r realm value is given, the server
principal will have no realm.
We are adding krb5_expand_hostname() from Heimdal, but (a) the
initial solution to this bug should probably not use a new API so
that it can be backported, and (b) we really want an sn2princ-like
API for most of these parts of the code, just not with the realm
lookup.
More information about the krb5-bugs
mailing list