Skip Menu |
 

Subject: ksu fails without domain_realm mapping for local host
Download (untitled) / with headers
text/plain 1.6KiB
Here is a trace from a ksu built with debugging support:

wanderer:~> ./ksu -D
GET_best_princ_for_target: via prompt passwd list choice: approximation
of princ in trials # 0
GET_best_princ_for_target result-best principal rra/root@stanford.edu
source cache = FILE:/tmp/krb5cc_1000
target cache = FILE:/tmp/krb5cc_0.1
krb5_check_exp: the krb5_clockskew is 300
krb5_check_exp: currenttime - endtime -82497
krb5_check_exp: the krb5_clockskew is 300
krb5_check_exp: currenttime - endtime -82497
krb5_check_exp: the krb5_clockskew is 300
krb5_check_exp: currenttime - endtime -82497
krb5_auth_check: Client principal name: rra/root@stanford.edu
krb5_auth_check: Server principal name: host/wanderer.stanford.edu@
ksu: Matching credential not found While Retrieving credentials
local tgt principal name: krbtgt/stanford.edu@stanford.edu
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for rra/root@stanford.edu: :
krb5_auth_check: got ticket for end server
out_creds->server: host/wanderer.stanford.edu@
krb5_verify_tkt_def: verifying target server
server: host/wanderer.stanford.edu@
tkt->server: host/wanderer.stanford.edu@stanford.edu
ksu: Wrong principal in request while verifying ticket for server
Authentication failed.

The problem appears to stem from the fact that ksu rolls its own ticket
verification and doesn't use krb5_verify_init_creds. Is there some
reason why it doesn't do this, or does it just predate that API? If it
just predates the API, I might be able to take a shot at producing a patch.
From: Sam Hartman <hartmans@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5954] ksu fails without domain_realm mapping for local host
Date: Tue, 29 Apr 2008 13:25:09 -0400
RT-Send-Cc:
It definitely predates the API.
From: hartmans@mit.edu
Subject: SVN Commit

Ksu should call krb5_verify_init_creds instead of using its own function.
This was prompted by a desire for ksu to work without a domain_realm mapping for the local server, but the duplication of code is bad anyway.

https://github.com/krb5/krb5/commit/7686b7181e9090e4bd84fbc64ce8980673d03126
Commit By: hartmans
Revision: 21714
Changed Files:
U trunk/src/clients/ksu/krb_auth_su.c
From: hartmans@mit.edu
Subject: SVN Commit

Remove ksu's own implementation of krb5_verify_init_creds now that it is not used.

https://github.com/krb5/krb5/commit/1fd7ca9fe9c756155e9944916826147bab6f167b
Commit By: hartmans
Revision: 21715
Changed Files:
U trunk/src/clients/ksu/krb_auth_su.c
From: hartmans@mit.edu
Subject: SVN Commit

Add support for referral null realms and use the default realm as krb5_rd_req_extended does

https://github.com/krb5/krb5/commit/868264bf7c324b16d275493bcc3438125f9b1680
Commit By: hartmans
Revision: 21716
Changed Files:
U trunk/src/lib/krb5/krb/vfy_increds.c