From bbense@telemark.stanford.edu Thu Apr 8 12:51:44 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA08429 for <bugs@RT-11.MIT.EDU>; Thu, 8 Apr 1999 12:51:42 -0400
Received: from telemark.Stanford.EDU by MIT.EDU with SMTP
id AA10500; Thu, 8 Apr 99 12:51:38 EDT
Received: (from bbense@localhost) by telemark.stanford.edu (8.9.3/8.7.3) id JAA21758; Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
Message-Id: <199904081651.JAA21758@telemark.stanford.edu>
Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
From: bbense@stanford.edu
Reply-To: bbense@stanford.edu
To: krb5-bugs@MIT.EDU
Subject: Multi-realm bug in lib/krb4/decomp_tkt.c
X-Send-Pr-Version: 3.99
System: SunOS telemark.stanford.edu 5.5.1 Generic_103640-21 sun4u sparc SUNW,Ultra-1
Architecture: sun4
if the realm field is missing from the ticket.
- Apply this patch to decomp_tkt.c
129,133c127,129
< /* if (*prealm == 0)
< * (void) strcpy(prealm,KRB_REALM);
< */
< if ( *prealm == 0 )
< krb_get_lrealm(prealm,1) ;
---
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, bbense@stanford.edu
Cc: krb5-unassigned@RT-11.MIT.EDU, gnats-admin@RT-11.MIT.EDU,
krb5-prs@RT-11.MIT.EDU
Subject: Re: krb5-libs/710: Multi-realm bug in lib/krb4/decomp_tkt.c
Date: Thu, 8 Apr 1999 13:46:06 -0400 (EDT)
Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
From: bbense@stanford.edu
if the realm field is missing from the ticket.
a different default realm.
So exactly when does this happen?? I assume this is with a V4 kadmind,
but it doesn't seem to refer to the default realm unless it can't find
the local realm, and I can't see how that would cause the client realm
to be NULL in the ticket in any case.
That code was there only for backwards compatibility with very old
Kerberos V4 servers that didn't fill in the client realm in the ticket,
and that shouldn't apply to any modern systems.
- Ted
From: Booker Bense <bbense@networking.stanford.edu>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, krb5-unassigned@RT-11.MIT.EDU,
gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: krb5-libs/710: Multi-realm bug in lib/krb4/decomp_tkt.c
Date: Thu, 8 Apr 1999 11:20:54 -0700 (PDT)
On Thu, 8 Apr 1999, Theodore Y. Ts'o wrote:
- Well, I guess you can put KAS (ie. AFS's kerberos V4 server in
that class of very old servers ). If I recall correctly from the
first time I ran across this it only occurs with service tickets
that you get directly, not with a tgt (i.e. changepw.kerberos is set
NOSEAL ).
- This bug has bitten me twice, the first time it took a week to
figure out, the second time only a day. So I thought I'd send in the
patch. It seems to me to be the right thing to do, but I'm not going
to argue about it.
- IMHO, KRB_REALM should only be used in krb_get_lrealm, otherwise
what's the point of krb_get_lrealm. I note that it also appears
in
./appl/bsd/login.c
./kadmin/v4server/acl_files.c
But at least these attempt krb_get_lrealm first. Perhaps that's
what decomp_tkt.c should do.
- Booker C. Bense
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA08429 for <bugs@RT-11.MIT.EDU>; Thu, 8 Apr 1999 12:51:42 -0400
Received: from telemark.Stanford.EDU by MIT.EDU with SMTP
id AA10500; Thu, 8 Apr 99 12:51:38 EDT
Received: (from bbense@localhost) by telemark.stanford.edu (8.9.3/8.7.3) id JAA21758; Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
Message-Id: <199904081651.JAA21758@telemark.stanford.edu>
Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
From: bbense@stanford.edu
Reply-To: bbense@stanford.edu
To: krb5-bugs@MIT.EDU
Subject: Multi-realm bug in lib/krb4/decomp_tkt.c
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 710
>Category: krb5-libs
>Synopsis: Multi-realm bug in lib/krb4/decomp_tkt.c
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 08 12:52:00 EDT 1999
>Last-Modified: Thu Apr 08 14:21:00 EDT 1999
>Originator: Booker Bense
>Organization:
Stanford University>Category: krb5-libs
>Synopsis: Multi-realm bug in lib/krb4/decomp_tkt.c
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 08 12:52:00 EDT 1999
>Last-Modified: Thu Apr 08 14:21:00 EDT 1999
>Originator: Booker Bense
>Organization:
Show quoted text
>Release: krb5-1.0.5
>Environment:
Solaris 2.5.1>Environment:
System: SunOS telemark.stanford.edu 5.5.1 Generic_103640-21 sun4u sparc SUNW,Ultra-1
Architecture: sun4
Show quoted text
>Description:
A library compiled on one realm will not work on another realmif the realm field is missing from the ticket.
Show quoted text
>How-To-Repeat:
Build a kadmind to serve one realm with libkrb4 compiled with a different default realm. Show quoted text
>Fix:
- Apply this patch to decomp_tkt.c
129,133c127,129
< /* if (*prealm == 0)
< * (void) strcpy(prealm,KRB_REALM);
< */
< if ( *prealm == 0 )
< krb_get_lrealm(prealm,1) ;
---
Show quoted text
> if (*prealm == 0)
> (void) strcpy(prealm,KRB_REALM);
>
> (void) strcpy(prealm,KRB_REALM);
>
Show quoted text
>Audit-Trail:
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, bbense@stanford.edu
Cc: krb5-unassigned@RT-11.MIT.EDU, gnats-admin@RT-11.MIT.EDU,
krb5-prs@RT-11.MIT.EDU
Subject: Re: krb5-libs/710: Multi-realm bug in lib/krb4/decomp_tkt.c
Date: Thu, 8 Apr 1999 13:46:06 -0400 (EDT)
Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
From: bbense@stanford.edu
Show quoted text
>Description:
A library compiled on one realm will not work on another realmif the realm field is missing from the ticket.
Show quoted text
>How-To-Repeat:
Build a kadmind to serve one realm with libkrb4 compiled witha different default realm.
So exactly when does this happen?? I assume this is with a V4 kadmind,
but it doesn't seem to refer to the default realm unless it can't find
the local realm, and I can't see how that would cause the client realm
to be NULL in the ticket in any case.
That code was there only for backwards compatibility with very old
Kerberos V4 servers that didn't fill in the client realm in the ticket,
and that shouldn't apply to any modern systems.
- Ted
From: Booker Bense <bbense@networking.stanford.edu>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, krb5-unassigned@RT-11.MIT.EDU,
gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: krb5-libs/710: Multi-realm bug in lib/krb4/decomp_tkt.c
Date: Thu, 8 Apr 1999 11:20:54 -0700 (PDT)
On Thu, 8 Apr 1999, Theodore Y. Ts'o wrote:
Show quoted text
> Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
> From: bbense@stanford.edu
>
> if the realm field is missing from the ticket.
> a different default realm.
>
> So exactly when does this happen?? I assume this is with a V4 kadmind,
> but it doesn't seem to refer to the default realm unless it can't find
> the local realm, and I can't see how that would cause the client realm
> to be NULL in the ticket in any case.
> From: bbense@stanford.edu
>
> >Description:
> A library compiled on one realm will not work on another realm> if the realm field is missing from the ticket.
> >How-To-Repeat:
> Build a kadmind to serve one realm with libkrb4 compiled with> a different default realm.
>
> So exactly when does this happen?? I assume this is with a V4 kadmind,
> but it doesn't seem to refer to the default realm unless it can't find
> the local realm, and I can't see how that would cause the client realm
> to be NULL in the ticket in any case.
Show quoted text
>
> That code was there only for backwards compatibility with very old
> Kerberos V4 servers that didn't fill in the client realm in the ticket,
> and that shouldn't apply to any modern systems.
>
> That code was there only for backwards compatibility with very old
> Kerberos V4 servers that didn't fill in the client realm in the ticket,
> and that shouldn't apply to any modern systems.
>
- Well, I guess you can put KAS (ie. AFS's kerberos V4 server in
that class of very old servers ). If I recall correctly from the
first time I ran across this it only occurs with service tickets
that you get directly, not with a tgt (i.e. changepw.kerberos is set
NOSEAL ).
- This bug has bitten me twice, the first time it took a week to
figure out, the second time only a day. So I thought I'd send in the
patch. It seems to me to be the right thing to do, but I'm not going
to argue about it.
- IMHO, KRB_REALM should only be used in krb_get_lrealm, otherwise
what's the point of krb_get_lrealm. I note that it also appears
in
./appl/bsd/login.c
./kadmin/v4server/acl_files.c
But at least these attempt krb_get_lrealm first. Perhaps that's
what decomp_tkt.c should do.
- Booker C. Bense
Show quoted text
>Unformatted: