RT RT/krbdev.mit.edu: Ticket #6952 Fix cross-realm traversal TGT requests Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
6952
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.9.2
Target_Version
  • 1.9.2
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Thu Sep 1 12:21:26 2011
Starts: Not set
Started: Thu Sep 1 12:21:27 2011
Last Contact: Tue Oct 18 16:42:58 2011
Due: Not set
Updated: Wed Dec 16 18:02:57 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu, cgrundman@gmail.com
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 
 More about Chaskiel Grundman  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Thu Sep  1 12:21:27 2011  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: SVN Commit


When requesting a cross-realm TGT, use the KDC instance of the current
TGT (the second data component), not the realm which the TGT came
from.

https://github.com/krb5/krb5/commit/5c94d680e4e9cbffa763ad69b112385492fd4ebf
Commit By: ghudson
Revision: 25121
Changed Files:
U   trunk/src/lib/krb5/krb/get_creds.c


Download (untitled) 311b
      Thu Sep  1 12:21:27 2011  ghudson - Requestor ghudson@mit.edu added    
      Thu Sep  1 12:21:27 2011  ghudson - Status changed from new to review    
      Thu Sep  1 12:21:28 2011  ghudson - Tags pullup added    
      Thu Sep  1 12:21:28 2011  ghudson - Target_Version 1.9.2 added    
      Tue Oct 18 16:42:58 2011  tlyu - Status changed from review to resolved    
      Tue Oct 18 16:42:58 2011  tlyu - Version_Fixed 1.9.2 added    
      Tue Oct 18 16:42:58 2011  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


pull up r25121 from trunk

 ------------------------------------------------------------------------
 r25121 | ghudson | 2011-09-01 12:21:25 -0400 (Thu, 01 Sep 2011) | 9 lines

 ticket: 6952
 subject: Fix cross-realm traversal TGT requests
 target_version: 1.9.2
 tags: pullup

 When requesting a cross-realm TGT, use the KDC instance of the current
 TGT (the second data component), not the realm which the TGT came
 from.

https://github.com/krb5/krb5/commit/fdbfc89048530c88328327271c248b5246161e06
Commit By: tlyu
Revision: 25380
Changed Files:
U   branches/krb5-1-9/src/lib/krb5/krb/get_creds.c


Download (untitled) 601b
      Thu Jun 14 17:37:23 2012  cgrundman@gmail.com - Ticket 7174: Ticket created    
     
Date: Thu, 14 Jun 2012 16:00:34 -0400
Subject: multi-hop cross-realm w/o capaths sends request to wrong kdc
From: Chaskiel Grundman <cgrundman@gmail.com>
To: krb5-bugs@mit.edu

I have an environment with two AD domains (in one forest) and a
kerberos realm, recently upgraded to a recent heimdal. As part of that
migration, the trust between AD and the kerberos realm was redone.
Previously, both the root domain and the domain that all the
users/resources are in had trusts, but now only the root AD domain has
a trust. The heimdal kdcs have [capaths] configured and properly give
out realm referrals. The AD servers do not.


Lets call the kerberos realm KERBEROS.EXAMPLE.COM, and the AD domains
AD.EXAMPLE.COM and REALDOMAIN.AD.EXAMPLE.COM. These names _do_ reflect
the domain hierarchy relationship correctly. I only changed the
individual labels.

After the change, mit krb5 1.9 (1.9.1ish on ubuntu 11.10), cannot get
tickets on behalf of user@REALDOMAIN.AD.EXAMPLE.COM for services in
KERBEROS.EXAMPLE.COM:

% aklog -d kerberos.example.com
Note: Operation is performed on cell REALDOMAIN.AD.EXAMPLE.COM
Authenticating to cell kerberos.example.com (server XXXX.kerberos.example.com).
Trying to authenticate to user's realm REALDOMAIN.AD.EXAMPLE.COM.
Getting tickets: afs/kerberos.example.com@REALDOMAIN.AD.EXAMPLE.COM
We've deduced that we need to authenticate to realm KERBEROS.EXAMPLE.COM.
Getting tickets: afs/kerberos.example.com@KERBEROS.EXAMPLE.COM
Getting tickets: afs/kerberos.example.com@KERBEROS.EXAMPLE.COM
Kerberos error code returned by get_cred : -1765328316

That is KRB5KDC_ERR_WRONG_REALM

Setting KRB5_TRACE reveals the following:
[27580] 1339700735.363748: Requesting TGT
krbtgt/KERBEROS.EXAMPLE.COM@REALDOMAIN.AD.EXAMPLE.COM using TGT
krbtgt/AD.EXAMPLE.COM@REALDOMAIN.AD.EXAMPLE.COM
[27580] 1339700735.363759: Generated subkey for TGS request: rc4-hmac/AB6E
[27580] 1339700735.363772: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-cbc-crc, des,
des-cbc-md4
[27580] 1339700735.363839: Sending request (1737 bytes) to AD.EXAMPLE.COM
[27580] 1339700735.369349: Initiating TCP connection to stream 192.168.20.8:88
[27580] 1339700735.371149: Sending TCP request to stream 192.168.20.8:88
[27580] 1339700735.372676: Received answer from stream 192.168.20.8:88
[27580] 1339700735.374530: Response was not from master KDC
[27580] 1339700735.374547: TGS request result: -1765328316/Realm not
local to KDC

The library seems to be mixing up the realms, asking for an
@REALDOMAIN.AD.EXAMPLE.COM ticket from the @AD.EXAMPLE.COM kdc.

If I add some capaths to the client's krb5.conf, the problem does not
occur, but I'd really rather not have to do that everywhere. an mit
krb5 1.6 client (RHEL5) works without the capaths.
[capaths]
REALDOMAIN.AD.EXAMPLE.COM = {
   KERBEROS.EXAMPLE.COM = AD.EXAMPLE.COM
   AD.EXAMPLE.COM = .
}


Download (untitled) 2.6k
      Thu Jun 14 17:46:08 2012  ghudson - Ticket 7174: Correspondence added    
     
I'm pretty sure this is a bug which was fixed in krb5 1.9.2 (see issue
#6952).  You may be able to convince Ubuntu to backport the fix to their
package, or upgrade their package to 1.9.3, although with 12.04 out I
don't know how easy that will be.  I apologize for the inconvenience; it
was a small typo on my part which broke a whole category of cross-realm
scenarios.  We now have automated cross-realm tests which would catch a
bug like this.


Download (untitled) 451b
      Thu Jun 14 17:46:21 2012  ghudson - Ticket 7174: Ticket 7174 MergedInto ticket 6952.    
      Wed Dec 16 18:02:57 2015  tlyu - Keyword pullup deleted