regression due to referral realm

Mark Phalan Mark.Phalan at Sun.COM
Wed Feb 4 04:51:34 EST 2009

There is a regression in functionality when calling
krb5_get_init_creds*() with a client which has been constructed with
krb5_sname_to_princ() when it returns a principal with a referral realm.

If krb5_get_init_creds*() is passed a client with a referral realm
(empty realm) authentication fails as it cannot construct a valid TGT or
identity which KDC it should authenticate to. If "dns_lookup_kdc" is
set (by default I believe is) then there are going to be some weird DNS
SRV lookups too as it tries to find a KDC for the realm "".

This is easy to reproduce:

1) Populate a keytab with a host/<fqdn> principal
2) Modify krb5.conf so there is no valid domain_realm mapping for the
domain of the host.
3) run kinit -k

The above returns a valid TGT on krb5-1.5.4 but fails with anything
later. The same problem occurs on Solaris in krb5_gss_init_sec_context()
and potentially anywhere a client principal returned from
krb5_sname_to_princ() is used to get initial credentials

It seems to me that mostly this will be hit when doing initial
authentication with a keytab. One way to mitigate that problem would be
to modify krb5_get_init_creds_keytab() to check the client principal to
see if it is using a referral realm. If it is then take the first
matching principal from the keytab and use that principal's realm.
I've got code to do this and can supply a patch.


More information about the krbdev mailing list