regression due to referral realm
Mark.Phalan at Sun.COM
Wed Feb 4 04:51:34 EST 2009
There is a regression in functionality when calling
krb5_get_init_creds*() with a client which has been constructed with
krb5_sname_to_princ() when it returns a principal with a referral realm.
If krb5_get_init_creds*() is passed a client with a referral realm
(empty realm) authentication fails as it cannot construct a valid TGT or
identity which KDC it should authenticate to. If "dns_lookup_kdc" is
set (by default I believe is) then there are going to be some weird DNS
SRV lookups too as it tries to find a KDC for the realm "".
This is easy to reproduce:
1) Populate a keytab with a host/<fqdn> principal
2) Modify krb5.conf so there is no valid domain_realm mapping for the
domain of the host.
3) run kinit -k
The above returns a valid TGT on krb5-1.5.4 but fails with anything
later. The same problem occurs on Solaris in krb5_gss_init_sec_context()
and potentially anywhere a client principal returned from
krb5_sname_to_princ() is used to get initial credentials
It seems to me that mostly this will be hit when doing initial
authentication with a keytab. One way to mitigate that problem would be
to modify krb5_get_init_creds_keytab() to check the client principal to
see if it is using a referral realm. If it is then take the first
matching principal from the keytab and use that principal's realm.
I've got code to do this and can supply a patch.
More information about the krbdev