RT/krbdev.mit.edu: Ticket #5697 make ccache handle referrals better

RT/krbdev.mit.edu: Ticket #5697 make ccache handle referrals better

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
5697

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component	krb5-libs
Version_reported	1.6.2
Version_Fixed	1.6.3
Target_Version	1.6.3
Tags	pullup

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

5663: (Nobody) kinit -S can fail if using a "fallback" mechanism to determine realm [new]

Referred to by:

Dates

Created:	Tue Aug 28 20:10:43 2007
Starts:	Not set
Started:	Wed Aug 29 19:24:26 2007
Last Contact:	Sat Sep 1 00:48:59 2007
Due:	Not set
Updated:	Wed Jun 25 11:34:16 2008 by guest

People

Owner
tlyu
Requestors
tlyu@mit.edu
Cc

AdminCc

More about Tom Yu

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

6204: meta-ticket for tracking Apple patches (open)
1149: KDC client lockout for DISALLOW_ALL_TIX or expiration (new)
1247: rpc unit tests need real synchronization (open)
1348: sketchy uses of longjmp in util/ss/listen.c (new)
1479: kdc.conf should allow KDC directory re-homing (new)
1685: consider calling remove_error_table() in krb5_free_context() (new)
2644: fakeka.c should use life_to_time/time_to_life (new)
2934: document shared lib build requirements (new)
2937: GSSAPI authorization data export (open)
2938: support 64-bit Windows (open)
3775: krb5_gss_accept_sec_context should handle inconsistent mutual auth requests (open)
4740: cccursor backend for MSLSA (new)
5531: SPNEGO acc_ctx_call_acc should only call gssint_get_mech_type for 1st token (new)
5627: handle off-path TGT referrals in krb5_get_cred_from_kdc() [rdar 3679887] (open)
6034: rework gic_opt_ext to be more portable (open)
6205: IP_RECVDSTADDR support for kpasswd server (open)
6212: Apple patch for Common Crypto (new)
6213: Apple patch to use pidfile (FreeBSD) for daemons (new)
6228: Apple patch: KDC notify password server (new)
6229: Apple-specific manpage pathname fixes (new)
6230: Apple Seatbelt support for kadmind and KDC (new)
6232: Apple manpage fix to delete reference to Kerberos.app (new)
6233: Apple patch to instal newsyslog config (new)
6234: Apple config file support for password server (new)
6235: install target for KerberosLite (new)

History

Display mode: [Brief headers] [Full headers]

Tue Aug 28 20:10:43 2007	tlyu - Ticket created
To: krb5-bugs@MIT.EDU Subject: make ccache handle referrals better From: Tom Yu <tlyu@MIT.EDU> Date: Tue, 28 Aug 2007 20:05:47 -0400 In bug reports such as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436512 and ticket #5663 it appears that the referrals support causes some problems in the following cases: 1. pre-existing cred having explicit service realm can't be found in ccache when looking up a principal name with empty realm from sname_to_princ 2. pre-existing cred having empty realm or different service realm from actual encoded ticket can't be found in ccache when looking up a principal name with the "correct" realm Both of these can cause excess network traffic as the client attempts to get another copy of ticket which it already has. For (1), cause krb5_cc_retrieve_cred to search using the client principal's realm as the service princpal's realm if a search with an empty service realm fails. For (2), cause krb5_cc_store_cred to compare the service principal (perhaps only the realm) in the cred against the principal in the actual ticket. If they differ, store using both principal names. These should be implemented independently of the back ends, i.e. the krb5_cc_* interfaces will no longer be simple wrappers around a call through a function pointer. The above solutions will also help in cases where a ccache is shared between multiple implementations.		Download (untitled) 1.2k
Tue Aug 28 20:28:20 2007	tlyu - Given to tlyu
Tue Aug 28 20:28:20 2007	tlyu - Component krb5-libs added
Tue Aug 28 20:28:20 2007	tlyu - Version_reported 1.6.2 added
Tue Aug 28 20:28:21 2007	tlyu - Target_Version 1.6.3 added
Tue Aug 28 20:28:21 2007	tlyu - Ticket 5697 RefersTo ticket 5663.
Wed Aug 29 19:23:39 2007	tlyu - Correspondence added
To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5697] make ccache handle referrals better From: Tom Yu <tlyu@MIT.EDU> Date: Wed, 29 Aug 2007 19:23:29 -0400 RT-Send-Cc: From: tlyu@MIT.EDU Subject: svn rev #19898: trunk/ src/lib/krb5/ccache/ To: cvs-krb5@mit.edu Date: Wed, 29 Aug 2007 18:59:53 -0400 (EDT) Reply-To: krbdev@MIT.EDU Commit By: tlyu Log Message: ticket: 5697 tags: pullup Make ccache handle referrals better by storing both server principal names if they differ between the creds structure and the encoded ticket and by looking up the server principal using the client's realm if not found and server's realm was initially the referral (empty) realm. Changed Files: _U trunk/ U trunk/src/lib/krb5/ccache/ccfns.c		Download (untitled) 567b
Wed Aug 29 19:24:26 2007	tlyu - Status changed from new to resolved
Wed Aug 29 19:24:26 2007	tlyu - Tags pullup added
Thu Aug 30 20:23:54 2007	raeburn - Status changed from resolved to open
Thu Aug 30 20:23:55 2007	raeburn - Correspondence added
This patch seems to cause the t_cc test to fail.		Download (untitled) 48b
Fri Aug 31 15:41:57 2007	tlyu - Correspondence added
To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5697] make ccache handle referrals better From: Tom Yu <tlyu@MIT.EDU> Date: Fri, 31 Aug 2007 15:41:47 -0400 RT-Send-Cc: Ouch. It looks like t_cc fails because it attempts to use some human-readable strings instead of valid ASN.1 for the actual encoded "ticket" when storing a credential.		Download (untitled) 169b
Fri Aug 31 16:02:10 2007	jaltman - Correspondence added
Date: Fri, 31 Aug 2007 16:04:09 -0400 From: Jeffrey Altman <jaltman@mit.edu> To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5697] make ccache handle referrals better RT-Send-Cc: Tom Yu via RT wrote: > Ouch. It looks like t_cc fails because it attempts to use some > human-readable strings instead of valid ASN.1 for the actual encoded > "ticket" when storing a credential. Note that kx509 stores X.509 certificates in the cache using krb5_cc and there is at least one site that is using the ccache to store SSH private keys. I don't think that failure to parse a ticket should result in the ticket not being stored in the ccache under the requested name.		Download (untitled) 482b
Fri Aug 31 17:30:06 2007	hartmans - Correspondence added
From: Sam Hartman <hartmans@mit.edu> To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5697] make ccache handle referrals better Date: Fri, 31 Aug 2007 17:30:03 -0400 RT-Send-Cc: >>>>> "Jeffrey" == Jeffrey Altman via RT <rt-comment@krbdev.mit.edu> writes: Jeffrey> Tom Yu via RT wrote: >> Ouch. It looks like t_cc fails because it attempts to use some >> human-readable strings instead of valid ASN.1 for the actual >> encoded "ticket" when storing a credential. Jeffrey> Note that kx509 stores X.509 certificates in the cache Jeffrey> using krb5_cc and there is at least one site that is Jeffrey> using the ccache to store SSH private keys. It's not clear we support any of these use cases.		Download (untitled) 545b
Sat Sep 1 00:48:55 2007	jaltman@columbia.edu - Correspondence added
Date: Sat, 01 Sep 2007 00:50:51 -0400 From: Jeffrey Altman <jaltman@columbia.edu> To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5697] make ccache handle referrals better RT-Send-Cc:
Sam Hartman via RT wrote: >>>>>> "Jeffrey" == Jeffrey Altman via RT <rt-comment@krbdev.mit.edu> writes: > > Jeffrey> Tom Yu via RT wrote: > >> Ouch. It looks like t_cc fails because it attempts to use some > >> human-readable strings instead of valid ASN.1 for the actual > >> encoded "ticket" when storing a credential. > > Jeffrey> Note that kx509 stores X.509 certificates in the cache > Jeffrey> using krb5_cc and there is at least one site that is > Jeffrey> using the ccache to store SSH private keys. > > It's not clear we support any of these use cases. That may be, but if you make this change you are going to break code systems that people have been running in production for many years. If there is no reason to break other people's applications, why do so?		Download (untitled) 806b
		Download smime.p7s 3.2k
Mon Sep 3 22:10:19 2007	tlyu - Status changed from open to resolved
Mon Sep 3 22:10:20 2007	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit Bail out if encoded "ticket" doesn't decode correctly. This allows t_cc test case to pass and allows non-tickets to be stored (for now). Commit By: tlyu Revision: 19910 Changed Files: _U trunk/ U trunk/src/lib/krb5/ccache/ccfns.c		Download (untitled) 238b
Wed Sep 5 17:32:20 2007	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r19898 from trunk r19898@cathode-dark-space: tlyu \| 2007-08-29 18:59:52 -0400 ticket: 5697 tags: pullup Make ccache handle referrals better by storing both server principal names if they differ between the creds structure and the encoded ticket and by looking up the server principal using the client's realm if not found and server's realm was initially the referral (empty) realm. Commit By: tlyu Revision: 19927 Changed Files: _U branches/krb5-1-6/ U branches/krb5-1-6/src/lib/krb5/ccache/ccfns.c		Download (untitled) 530b
Wed Sep 5 17:32:35 2007	tlyu - Version_Fixed 1.6.3 added
Wed Sep 5 17:32:36 2007	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r19910 from trunk r19910@cathode-dark-space: tlyu \| 2007-09-03 22:10:13 -0400 ticket: 5697 Bail out if encoded "ticket" doesn't decode correctly. This allows t_cc test case to pass and allows non-tickets to be stored (for now). Commit By: tlyu Revision: 19928 Changed Files: _U branches/krb5-1-6/ U branches/krb5-1-6/src/lib/krb5/ccache/ccfns.c		Download (untitled) 372b