regression due to referral realm
Nicolas.Williams at sun.com
Wed Feb 4 11:20:09 EST 2009
On Wed, Feb 04, 2009 at 10:51:34AM +0100, Mark Phalan wrote:
> It seems to me that mostly this will be hit when doing initial
> authentication with a keytab. One way to mitigate that problem would be
> to modify krb5_get_init_creds_keytab() to check the client principal to
> see if it is using a referral realm. If it is then take the first
> matching principal from the keytab and use that principal's realm.
> I've got code to do this and can supply a patch.
I agree. This is basically a zero-conf bug affecting apps that a) use
keytabs to acquire initial credentials, and b) use
krb5_sname_to_principal() instead of krb5_parse_name() to get the client
Such apps can be raw krb5 API apps, GSS-API apps, and even scripts
around kinit (see Mark's note).
Mark's fix involves adding a function that takes a krb5_principal with a
referral realm that then searches a given keytab for a matching entry
(where the match obviously excludes the realm part). That's likely to
raise some eyebrows, or at least this one:
Should keytabs be searched front to back or back to front? They are
usually appended to... This is, of course, a long-standing
question, for me at least.
In any case, the work-around for keytab search order issues is always to
use ktutil to create a keytab with entries in the correct order.
More information about the krbdev