interesting problem...
Neulinger, Nathan
nneul at umr.edu
Mon Mar 17 11:17:31 EST 2003
Maybe something along these lines (which doesn't work btw, I haven't dug
into it very much yet.)
krb5_free_data(context, enc_part);
if ((ret = handle_masq_v4(context, v5tkt,
(struct sockaddr_in *) &saddr,
&tktdata, &v4kvno)) != 0)
goto error;
....
/*
* We support two kinds of v4 credentials. There are real v4
* credentials, and a Kerberos v5 enc part masquerading as a krb4
* credential to be used by modern AFS implementations; this function
* handles the masqueraded case. It throws away authorization data so
that
* this scheme will function with ADS servers that do large auth data
along
* the service tickets.
*/
static krb5_error_code
handle_masq_v4 (krb5_context context, krb5_ticket *v5tkt,
struct sockaddr_in *saddr,
krb5_data *tktdata, krb5_kvno *v4kvno)
{
krb5_error_code ret;
krb5_keyblock v5_service_key;
KTEXT_ST v4tkt;
void *authdata;
krb5_data *enc_part;
KTEXT_ST fake_v4tkt;
v5_service_key.contents = NULL;
if ((ret = lookup_service_key(context, v5tkt->server,
v5tkt->enc_part.enctype,
v5tkt->enc_part.kvno,
&v5_service_key, NULL)))
goto error;
if (debug)
printf("service key retrieved\n");
if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt)))
{
goto error;
}
if (debug)
printf("ticket decrypted\n");
authdata = v5tkt->enc_part2->authorization_data;
v5tkt->enc_part2->authorization_data = NULL;
if (debug)
printf("auth data disabled\n");
if ((ret = krb5_encrypt_tkt_part(context, &v5_service_key, v5tkt)))
{
goto error;
}
if (debug)
printf("ticket re-encrypted\n");
v5tkt->enc_part2->authorization_data = authdata;
if (debug)
printf("auth data restored\n");
if ((ret = encode_krb5_enc_data( &v5tkt->enc_part, &enc_part))
!= 0)
goto error;
if (debug) printf("encoded enc_part");
if (debug) printf("enc_part->length == %d\n", enc_part->length);
fake_v4tkt.mbz = 0;
fake_v4tkt.length = enc_part->length;
memcpy(fake_v4tkt.dat, enc_part->data, enc_part->length);
*v4kvno = (0x100-0x2b); /*protocol constant indicating v5
* enc part only*/
krb5_free_data(context, enc_part);
ret = encode_v4tkt(&fake_v4tkt, tktdata->data,
&tktdata->length);
error:
if (v5tkt->enc_part2)
krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
if(v5_service_key.contents)
krb5_free_keyblock_contents(context, &v5_service_key);
return ret;
}
------------------------------------------------------------
Nathan Neulinger EMail: nneul at umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
> -----Original Message-----
> From: Neulinger, Nathan
> Sent: Monday, March 17, 2003 9:49 AM
> To: 'Sam Hartman'
> Cc: Uetrecht, Daniel J.
> Subject: interesting problem...
>
>
> I just started looking at the updated krb5 support and
> krb524d, and it won't use it cause enc_part->length is 833
> bytes for my test user (or in my own userid's case 1769 bytes).
>
> We're running against microsoft ADS, so I assume it's because
> of the authorization data crud in the ticket for group
> membership/etc.
>
> I'm guessing I may need to do something like decrypt the
> ticket, throw away the data I don't need, and then try the
> length check and new-style response again...
>
> Any suggestions?
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul at umr.edu
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
>
More information about the krbdev
mailing list