master_kdc is now required?

Ben Creech bpcreech at eos.ncsu.edu
Thu Aug 21 13:29:32 EDT 2003 

krb5/src/lib/krb5/os/locate_kdc.c differs between KfW 2.5.0 and krb5 1.3.1 
- it's newer in KfW.  I guess KfW isn't exactly the same as krb5 1.3.1.

Looks like:
<http://diswww.mit.edu:8008/menelaus.mit.edu/cvs-krb5/17408>
got included, but
<http://diswww.mit.edu:8008/menelaus.mit.edu/cvs-krb5/17409>
didn't.

Either way, the error message needs to be fixed.  The following should do 
it, I think.  This just makes krb5_get_init_creds_password() return the 
error message from the slave kdc (such as "principal not found" or "decrypt 
integrity check failed") if the master cannot be located in krb5.conf.

This could alternatively be fixed in locate_kdc(), perhaps by making the 
function default to an arbitrary kdc if the master_kdc field isn't found.

*** gic_pwd.c.orig      Tue May 27 17:42:30 2003
--- gic_pwd.c   Thu Aug 21 13:15:51 2003
***************
*** 160,165 ****
--- 160,166 ----
         slave we were able to contact */

        if ((ret2 == KRB5_KDC_UNREACH) ||
+                 (ret2 == KRB5_REALM_UNKNOWN) ||
                  (ret2 == KRB5_REALM_CANT_RESOLVE))
         goto cleanup;

--On Tuesday, August 19, 2003 5:43 PM -0400 Ben Creech 
<bpcreech at eos.ncsu.edu> wrote:

> The problem I reported earlier:
> <http://krbdev.mit.edu/rt/Ticket/Display.html?id=1735>
> is really caused by a missing master_kdc field in my krb5.conf.  When I
> request a ticket for a bogus principal, get_init_creds tries twice, once
> against a normal kdc (which fails with the correct error), and once on
> the master.  When it goes to look up the master, krb5_locate_kdc fails.
> Spelunking through code, I saw this, added the field, and everything
> works fine.
>
> What I still don't understand:
> -Was this intentional behavior?  The "master_kdc" field does not appear
> to be documented. -Why doesn't my Linux client do the same thing?
>
>
>
> On an unrelated note, send_as_request looks weird at the TCP logic.  Why
> do we only check for the too-big-for-udp response from the KDC when the
> caller has requested that an error message be returned from the library
> function? Will err_reply->error ever equal KRB_ERR_RESPONSE_TOO_BIG?
> Shouldn't it be KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE?
>
> Thanks,
> Ben Creech

More information about the krbdev mailing list