Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 275B63E626; Thu, 17 May 2012 02:25:18 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q4H6PFiv031813; Thu, 17 May 2012 02:25:15 -0400 Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q4H5IIF4024828 for ; Thu, 17 May 2012 01:18:18 -0400 Received: from dmz-mailsec-scanner-3.mit.edu (DMZ-MAILSEC-SCANNER-3.MIT.EDU [18.9.25.14]) by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id q4H5IFTi029628 for ; Thu, 17 May 2012 01:18:18 -0400 X-Auditid: 1209190e-b7fd86d0000008b4-15-4fb48a197573 Authentication-Results: symauth.service.identifier Received: from mail-pb0-f49.google.com (mail-pb0-f49.google.com [209.85.160.49]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 09.DD.02228.91A84BF4; Thu, 17 May 2012 01:18:18 -0400 (EDT) Received: by mail-pb0-f49.google.com with SMTP id rq13so2332338pbb.36 for ; Wed, 16 May 2012 22:18:17 -0700 (PDT) X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding:x-gm-message-state; bh=khLfqbWGjn/2gZaM9UCYmM+fkLZ3MfgJw89nIJaBYZ4=; b=APTIBP/gwQs6zkRzW2NsKfNJKefr5IazLqEgfyAnFZyv42ILeeLHWy3eLgZqkkSDpa PtqgSVA1+GshO+yTxOEF5xajYmqNsU/UvGTBnGPKZ75dv0hxZWFtllu7PCtAVGvbtCZF RSrQOzHYXanyPHDJt7vLtSpXsRecmLlT4y/4he5SGlqkoZHXAAL1UFudvK7qZOOW7Vrz LYRa3lpm3EDPCxd+ndQ35IqX1w0Z07T3qwyqvorkKyskfXSv0nQHCIcB/CYRdfGV1TGR 0kWDkkyQdTAQrnnpNRjoFiDYX0uwcJRUkaZDvaGyIQszRMwsW7ONcWMRvrtafShWax3W T0+w== Received: by 10.68.131.37 with SMTP id oj5mr3300241pbb.144.1337231897597; Wed, 16 May 2012 22:18:17 -0700 (PDT) Received: from ?IPv6:2001:44b8:62:70:7a2b:cbff:fe90:92ba? ([2001:44b8:62:70:7a2b:cbff:fe90:92ba]) by mx.google.com with ESMTPS id b10sm7881143pbr.46.2012.05.16.22.18.14 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 May 2012 22:18:16 -0700 (PDT) Message-ID: <4FB48A05.8060509@exinda.com> Date: Thu, 17 May 2012 15:17:57 +1000 From: Michael Morony User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1 MIME-Version: 1.0 To: krb5-bugs@mit.edu Subject: S4U2Self using kvno broken in 1.10.1, but not in 1-9.3 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-GM-Message-State: ALoCoQmM5vxJb6BXPVpbxeMMKct4awtv6IvDAEynJ5BQNihC5Cw45A/AvtHHCdLjHLHUdYbJ5ER+ X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrAKsWRWlGSWpSXmKPExsVyMXSBoa5U1xZ/g9vz2CwaHh5nd2D0aDpz lDmAMYrLJiU1J7MstUjfLoErY+fzXWwFP/kqfve9Y2pg/MTdxcjJISFgIrG24yUjiM0oYCSx +9wrVoi4mMSFe+vZuhi5OIQEbjJK3H01hwkkISTQyyhxY0oQSEJCYD+rxKd5S1ghEhUSC479 gCrSkNi4fz0rRHcvk8SRF4fBErwCmhJnVywDs1kEVCU29u5nBrHZBAwkzjevAVrHwSEqECax +oEGRLmgxMmZT1hAbBEBUYmXf4+B2cIC9hJfX/axgJQzC1hLfNtdBBJmFpCX2P52DjPEAwkS D5/vZ57AKDwLyaRZCB2zkHQsYGRexSibklulm5uYmVOcmqxbnJyYl5dapGusl5tZopeaUrqJ ERjYQpySfDsYvx5UOsQowMGoxMMbcGqzvxBrYllxZe4hRkkOJiVR3gkdW/yF+JLyUyozEosz 4otKc1KLDzFKcDArifBGyQLleFMSK6tSi/JhUtIcLErivGpa7/yEBNITS1KzU1MLUotgskwc 7IcYZTg4lCR4wzuBugWLUtNTK9Iyc0qQ1XCCCC6QNTxAa96BnMBbXJCYW5yZDlF0itGYY+fj RdcYOU5NWnaNUYglLz8vVUqclx9kpgBIaUZpHtxIUMKq/////yVGWSlhXkYGBgYhHqCbgEGB kAclvFeM4sBgEObVB5nCk5lXArfvFdApTECnlOVuAjmlJBEhJdXAWLry0cvkpzXaa+Qc1zAp le0yqi2vyd7V4he1fE3ABpnSxiWeiV8Mcu671n8od9p15QLD3vM/PnVapOzr3blb//vBlkkZ qxK8j8kf0Z35N1YugYPzivmHWd4LrRwsP2euqejpWRWefLhM/WSLxy3R9u4fb9iLli9Zlany /MzXLqZdR0Ryk7pllFiKMxINtZiLihMB1J512lMDAAA= X-Mailman-Approved-At: Thu, 17 May 2012 02:25:11 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1860 I'm using kvno to get some tickets using protocol transition (S4U2Self) with a Win2k3 KDC. Essentially I am running the following 3 shell commands kdestroy kinit -k -t my_keytab delegate_user kvno -k my_keytab -U fakeuser -P delegate_user cifs/2008FileServer Idea being for to get a service ticket for cifs for user "fakeuser". Version 1.9.3 works fine. (Compiled from MIT source on ubuntu) output is: delegate_user@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid cifs/2008FileServer@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid Version 1.10.1 does not (Again, compiled from MIT source) output is: kvno: Generic preauthentication failure while getting credentials for delegate_user@TEST.MYDOMAIN.COM kvno: Generic preauthentication failure while getting credentials for cifs/2008FileServer@TEST.MYDOMAIN.COM Reason being : some error code returns have changed in the krb5 lib and the s4u code no longer does what it is supposed to, as it can't properly handle KRB5_PREAUTH_FAILED. The difference in packet flow is : for 1.9.3 you see AS-REQ, then AS-REP with preauth required, but it then goes and does a TGS REQ S4U style as required. For 1.10.1 you just see two AS-REQ/AS-REP asking for preauth, then it just fails. The fix below works for me, is there a better way or should it be fixed elsewhere ? diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index e4cc8a1..dd2c7d0 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -120,7 +120,8 @@ s4u_identify_user(krb5_context context, &use_master, NULL); if (code == 0 || code == KDC_ERR_PREAUTH_REQUIRED || - code == KDC_ERR_PREAUTH_FAILED) { + code == KDC_ERR_PREAUTH_FAILED || + code == KRB5_PREAUTH_FAILED) { *canon_user = userid.user; userid.user = NULL; code = 0;