getprinc problems in 1.8b1
Marcus Watts
mdw at umich.edu
Wed Feb 24 11:55:37 EST 2010
Another set of problems surfaced recently here -- we found this
specifically in 1.6.3, but it turns out the problem got
worse in 1.7 and still exists in 1.8b1.
1. clarification
2. the problem
3. a patch
4. test script
5. sample output
6. perl gotcha
____ 1. clarification
To be clear: these problems both predate 1.8b1, and
don't manifest in the cli, only in code people might
write to use the administrative api directly.
____ 2. the problem
getprinc takes a mask that describes which attributes
it's supposed to return. This can't be exercised from
the cli - it always asks for all attributes. It can however
be exercised from C, perl, or (in our case) java.
There are 2 problems actually. The first has to do with
KADM5_MOD_NAME. If this attribute is NOT set, but
KADM5_MOD_TIME is, mod_name still returned. Additionally,
if KADM5_PRINCIPAL is set, principal may not be returned
even though it should be. Basically, the code is suppressing
the wrong returned data value. This has been true since at least 1.6.3
The second has to do with mkvno. This value is always
returned, regardless of whether KADM5_MKVNO is set.
This was new behavior in 1.7. (1.6.3 had different
possibly broken behavior.)
____ 3. a patch
Here is a patch that fixes both problems,
/afs/umich.edu/group/itd/build/mdw/krb5.15x/patches/krb5-1.8b1-getprinc.patch
____ 4. test script
Here's a perl script that can be used to exercise this problem,
/afs/umich.edu/group/itd/build/mdw/comma/test-p5-getprinc
This needs
Authen::Krb5
Authen::Krb5::Admin
both available from cpan.
____ 5. sample output
and here's sample output, 4 test cases without
and with the patch:
without,
== test-p5-getprinc mdw last_modified_by
last_modified_by=admin at CATS.UMICH.EDU
mkvno=2
== test-p5-getprinc mdw principal last_modified_date
last_modified_by=admin at CATS.UMICH.EDU
last_modified_date=1264810906
mkvno=2
== test-p5-getprinc mdw principal last_modified_date last_modified_by
last_modified_by=admin at CATS.UMICH.EDU
last_modified_date=1264810906
mkvno=2
principal=mdw at CATS.UMICH.EDU
== test-p5-getprinc mdw mkvno
mkvno=2
with the patch,
== test-p5-getprinc mdw last_modified_by
last_modified_by=admin at CATS.UMICH.EDU
== test-p5-getprinc mdw principal last_modified_date
last_modified_date=1264810906
principal=mdw at CATS.UMICH.EDU
== test-p5-getprinc mdw principal last_modified_date last_modified_by
last_modified_by=admin at CATS.UMICH.EDU
last_modified_date=1264810906
principal=mdw at CATS.UMICH.EDU
== test-p5-getprinc mdw mkvno
mkvno=2
____ 6. perl gotcha
In the case of using perl, failing to return mod_name means
that naive code that looks at $ap->mod_name->data will segment
faults in the perl, attempting to dereference mod_name = 0.
Obviously the perl module could stand improvement too.
-Marcus Watts
More information about the krbdev
mailing list