Ticket History #1305: Expired tickets don't pop dialog with Mac Eudora GSS

# Thu Jan 09 14:47:19 2003 mjv (Marshall Vale) - Ticket created

Subject:

Expired tickets don't pop dialog with Mac Eudora GSS

Download (untitled) / with headers
text/plain 299B

The Kerberos login dialog won't pop up if existing tickets have expired
and Eudora (Mac) tries to auth with GSS/K5. Instead, Eudora reports a
tickets have expired error and the user needs to manual get new tickets
with Kerberos.app or kinit.

We need to find a bottleneck for this situation to trap.

# Thu Jan 09 14:47:57 2003 mjv (Marshall Vale) - Component krb5-libs added

# Thu Jan 09 14:47:58 2003 mjv (Marshall Vale) - Version_reported 1.2.7 added

# Thu Jan 09 14:47:58 2003 mjv (Marshall Vale) - Target_Version 1.3 added

# Tue Jan 28 12:13:43 2003 hartmans (Sam Hartman) - Status changed from 'new' to 'open'

# Tue Jan 28 12:13:44 2003 hartmans (Sam Hartman) - Given to hartmans (Sam Hartman)

# Tue Jan 28 12:40:06 2003 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	[krbdev@mit.edu #1305] Is this bug real?
Date:	Tue, 28 Jan 2003 12:39:57 -0500 (EST)
From:	hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

Download (untitled) / with headers
text/plain 194B

Hi, I've looked at the krb5 library and the kll library and it is not
obvious that this bug should happen. Marshall, can you please look
and see if this actually happens for you in practice?

# Mon Feb 03 14:30:17 2003 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	[krbdev.mit.edu #1305]problem found
Date:	Mon, 3 Feb 2003 14:30:15 -0500 (EST)
From:	hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

Download (untitled) / with headers
text/plain 212B

The GSAPI library stores a default credential in a global static
variable and never attempts to refresh this credential. I don't
understand why this was ever correct behavior.

This is at least easy to fix.

# Wed Feb 05 16:25:51 2003 hartmans (Sam Hartman) - Given to tlyu (Taylor Yu)

# Wed Feb 05 16:31:17 2003 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	[krbdev.mit.edu #1305] Spec considered
Date:	Wed, 5 Feb 2003 16:31:15 -0500 (EST)
From:	hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

Download (untitled) / with headers
text/plain 543B

Marc Horowitz pointed out that we need to be careful to preserve
behavior mandated by the spec. I've looked at the spec and I believe
that we can solve this provided that gss_inquire_cred still does
something useful with the default credentials.

I believe for example it would be reasonable to refresh the default
credentials during each init_sec_context and accept_sec_context call.
Provided that the system credentials have not changed, then things
will continue to work.

There are some multi-mechanism issues to consider eventually.

# Fri Feb 21 18:14:54 2003 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	CVS Commit

Download (untitled) / with headers
text/plain 358B

This should fix things, but I don't have an easy way to test.

* gssapi_krb5.c (kg_get_defcred): Check for invalid or expired
defcred if it exists, and call acquire_cred() again if necessary.

To generate a diff of this commit:

cvs diff -r1.210 -r1.211 krb5/src/lib/gssapi/krb5/ChangeLog
cvs diff -r1.21 -r1.22 krb5/src/lib/gssapi/krb5/gssapi_krb5.c

# Fri Feb 21 19:09:34 2003 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #1305] CVS Commit
From:	Sam Hartman <hartmans@mit.edu>
Date:	Fri, 21 Feb 2003 19:09:27 -0500
RT-Send-Cc:

Download (untitled) / with headers
text/plain 243B

I don't like this solution because it incorrectly tracks the behavior
where the user changes credentials either in kerberos.app or by
running kinit.

Why did you reject the proposed solution of getting new default
credentials on every call?

# Mon Feb 24 17:36:33 2003 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	CVS Commit

Download (untitled) / with headers
text/plain 515B

* gssapi_krb5.c (kg_get_defcred): Revert previous; it's probably
not appropriate for inquire_cred() to cause new credentials to be
fetched.

* init_sec_context.c (krb5_gss_init_sec_context): Explicitly
release default cred in the NO_CREDENTIAL case, so it is always
refreshed.

To generate a diff of this commit:

cvs diff -r1.211 -r1.212 krb5/src/lib/gssapi/krb5/ChangeLog
cvs diff -r1.22 -r1.23 krb5/src/lib/gssapi/krb5/gssapi_krb5.c
cvs diff -r1.65 -r1.66 krb5/src/lib/gssapi/krb5/init_sec_context.c

# Mon Mar 10 17:55:54 2003 tlyu (Taylor Yu) - Given to mjv (Marshall Vale)

# Tue May 06 12:38:07 2003 mjv (Marshall Vale) - Comments added

Download (untitled) / with headers
text/plain 49B

Verified fixed in KfM 5.0a4 using Eudora and SAP.

# Tue May 06 12:43:52 2003 mjv (Marshall Vale) - Status changed from 'open' to 'resolved'

# Tue May 06 12:46:09 2003 mjv (Marshall Vale) - Version_Fixed 1.3 added