Skip Menu |
 

From: ghudson@mit.edu
Subject: SVN Commit

When requesting a cross-realm TGT, use the KDC instance of the current
TGT (the second data component), not the realm which the TGT came
from.

https://github.com/krb5/krb5/commit/5c94d680e4e9cbffa763ad69b112385492fd4ebf
Commit By: ghudson
Revision: 25121
Changed Files:
U trunk/src/lib/krb5/krb/get_creds.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r25121 from trunk

------------------------------------------------------------------------
r25121 | ghudson | 2011-09-01 12:21:25 -0400 (Thu, 01 Sep 2011) | 9 lines

ticket: 6952
subject: Fix cross-realm traversal TGT requests
target_version: 1.9.2
tags: pullup

When requesting a cross-realm TGT, use the KDC instance of the current
TGT (the second data component), not the realm which the TGT came
from.

https://github.com/krb5/krb5/commit/fdbfc89048530c88328327271c248b5246161e06
Commit By: tlyu
Revision: 25380
Changed Files:
U branches/krb5-1-9/src/lib/krb5/krb/get_creds.c
Date: Thu, 14 Jun 2012 16:00:34 -0400
Subject: multi-hop cross-realm w/o capaths sends request to wrong kdc
From: Chaskiel Grundman <cgrundman@gmail.com>
To: krb5-bugs@mit.edu
Download (untitled) / with headers
text/plain 2.6KiB
I have an environment with two AD domains (in one forest) and a
kerberos realm, recently upgraded to a recent heimdal. As part of that
migration, the trust between AD and the kerberos realm was redone.
Previously, both the root domain and the domain that all the
users/resources are in had trusts, but now only the root AD domain has
a trust. The heimdal kdcs have [capaths] configured and properly give
out realm referrals. The AD servers do not.


Lets call the kerberos realm KERBEROS.EXAMPLE.COM, and the AD domains
AD.EXAMPLE.COM and REALDOMAIN.AD.EXAMPLE.COM. These names _do_ reflect
the domain hierarchy relationship correctly. I only changed the
individual labels.

After the change, mit krb5 1.9 (1.9.1ish on ubuntu 11.10), cannot get
tickets on behalf of user@REALDOMAIN.AD.EXAMPLE.COM for services in
KERBEROS.EXAMPLE.COM:

% aklog -d kerberos.example.com
Note: Operation is performed on cell REALDOMAIN.AD.EXAMPLE.COM
Authenticating to cell kerberos.example.com (server XXXX.kerberos.example.com).
Trying to authenticate to user's realm REALDOMAIN.AD.EXAMPLE.COM.
Getting tickets: afs/kerberos.example.com@REALDOMAIN.AD.EXAMPLE.COM
We've deduced that we need to authenticate to realm KERBEROS.EXAMPLE.COM.
Getting tickets: afs/kerberos.example.com@KERBEROS.EXAMPLE.COM
Getting tickets: afs/kerberos.example.com@KERBEROS.EXAMPLE.COM
Kerberos error code returned by get_cred : -1765328316

That is KRB5KDC_ERR_WRONG_REALM

Setting KRB5_TRACE reveals the following:
[27580] 1339700735.363748: Requesting TGT
krbtgt/KERBEROS.EXAMPLE.COM@REALDOMAIN.AD.EXAMPLE.COM using TGT
krbtgt/AD.EXAMPLE.COM@REALDOMAIN.AD.EXAMPLE.COM
[27580] 1339700735.363759: Generated subkey for TGS request: rc4-hmac/AB6E
[27580] 1339700735.363772: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-cbc-crc, des,
des-cbc-md4
[27580] 1339700735.363839: Sending request (1737 bytes) to AD.EXAMPLE.COM
[27580] 1339700735.369349: Initiating TCP connection to stream 192.168.20.8:88
[27580] 1339700735.371149: Sending TCP request to stream 192.168.20.8:88
[27580] 1339700735.372676: Received answer from stream 192.168.20.8:88
[27580] 1339700735.374530: Response was not from master KDC
[27580] 1339700735.374547: TGS request result: -1765328316/Realm not
local to KDC

The library seems to be mixing up the realms, asking for an
@REALDOMAIN.AD.EXAMPLE.COM ticket from the @AD.EXAMPLE.COM kdc.

If I add some capaths to the client's krb5.conf, the problem does not
occur, but I'd really rather not have to do that everywhere. an mit
krb5 1.6 client (RHEL5) works without the capaths.
[capaths]
REALDOMAIN.AD.EXAMPLE.COM = {
KERBEROS.EXAMPLE.COM = AD.EXAMPLE.COM
AD.EXAMPLE.COM = .
}
I'm pretty sure this is a bug which was fixed in krb5 1.9.2 (see issue
#6952). You may be able to convince Ubuntu to backport the fix to their
package, or upgrade their package to 1.9.3, although with 12.04 out I
don't know how easy that will be. I apologize for the inconvenience; it
was a small typo on my part which broke a whole category of cross-realm
scenarios. We now have automated cross-realm tests which would catch a
bug like this.