Skip Menu |
 

Download (untitled) / with headers
text/plain 4.8KiB
From bbense@telemark.stanford.edu Thu Apr 8 12:51:44 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA08429 for <bugs@RT-11.MIT.EDU>; Thu, 8 Apr 1999 12:51:42 -0400
Received: from telemark.Stanford.EDU by MIT.EDU with SMTP
id AA10500; Thu, 8 Apr 99 12:51:38 EDT
Received: (from bbense@localhost) by telemark.stanford.edu (8.9.3/8.7.3) id JAA21758; Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
Message-Id: <199904081651.JAA21758@telemark.stanford.edu>
Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
From: bbense@stanford.edu
Reply-To: bbense@stanford.edu
To: krb5-bugs@MIT.EDU
Subject: Multi-realm bug in lib/krb4/decomp_tkt.c
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 710
>Category: krb5-libs
>Synopsis: Multi-realm bug in lib/krb4/decomp_tkt.c
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 08 12:52:00 EDT 1999
>Last-Modified: Thu Apr 08 14:21:00 EDT 1999
>Originator: Booker Bense
>Organization:
Stanford University

Show quoted text
>Release: krb5-1.0.5
>Environment:
Solaris 2.5.1

System: SunOS telemark.stanford.edu 5.5.1 Generic_103640-21 sun4u sparc SUNW,Ultra-1
Architecture: sun4

Show quoted text
>Description:
A library compiled on one realm will not work on another realm
if the realm field is missing from the ticket.
Show quoted text
>How-To-Repeat:
Build a kadmind to serve one realm with libkrb4 compiled with a different default realm.
Show quoted text
>Fix:

- Apply this patch to decomp_tkt.c

129,133c127,129
< /* if (*prealm == 0)
< * (void) strcpy(prealm,KRB_REALM);
< */
< if ( *prealm == 0 )
< krb_get_lrealm(prealm,1) ;
---
Show quoted text
> if (*prealm == 0)
> (void) strcpy(prealm,KRB_REALM);
>

Show quoted text
>Audit-Trail:

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, bbense@stanford.edu
Cc: krb5-unassigned@RT-11.MIT.EDU, gnats-admin@RT-11.MIT.EDU,
krb5-prs@RT-11.MIT.EDU
Subject: Re: krb5-libs/710: Multi-realm bug in lib/krb4/decomp_tkt.c
Date: Thu, 8 Apr 1999 13:46:06 -0400 (EDT)

Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
From: bbense@stanford.edu

Show quoted text
>Description:
A library compiled on one realm will not work on another realm
if the realm field is missing from the ticket.
Show quoted text
>How-To-Repeat:
Build a kadmind to serve one realm with libkrb4 compiled with
a different default realm.

So exactly when does this happen?? I assume this is with a V4 kadmind,
but it doesn't seem to refer to the default realm unless it can't find
the local realm, and I can't see how that would cause the client realm
to be NULL in the ticket in any case.

That code was there only for backwards compatibility with very old
Kerberos V4 servers that didn't fill in the client realm in the ticket,
and that shouldn't apply to any modern systems.

- Ted

From: Booker Bense <bbense@networking.stanford.edu>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, krb5-unassigned@RT-11.MIT.EDU,
gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: krb5-libs/710: Multi-realm bug in lib/krb4/decomp_tkt.c
Date: Thu, 8 Apr 1999 11:20:54 -0700 (PDT)

On Thu, 8 Apr 1999, Theodore Y. Ts'o wrote:

Show quoted text
> Date: Thu, 8 Apr 1999 09:51:40 -0700 (PDT)
> From: bbense@stanford.edu
>
> >Description:
> A library compiled on one realm will not work on another realm
> if the realm field is missing from the ticket.
> >How-To-Repeat:
> Build a kadmind to serve one realm with libkrb4 compiled with
> a different default realm.
>
> So exactly when does this happen?? I assume this is with a V4 kadmind,
> but it doesn't seem to refer to the default realm unless it can't find
> the local realm, and I can't see how that would cause the client realm
> to be NULL in the ticket in any case.

Show quoted text
>
> That code was there only for backwards compatibility with very old
> Kerberos V4 servers that didn't fill in the client realm in the ticket,
> and that shouldn't apply to any modern systems.
>

- Well, I guess you can put KAS (ie. AFS's kerberos V4 server in
that class of very old servers ). If I recall correctly from the
first time I ran across this it only occurs with service tickets
that you get directly, not with a tgt (i.e. changepw.kerberos is set
NOSEAL ).

- This bug has bitten me twice, the first time it took a week to
figure out, the second time only a day. So I thought I'd send in the
patch. It seems to me to be the right thing to do, but I'm not going
to argue about it.

- IMHO, KRB_REALM should only be used in krb_get_lrealm, otherwise
what's the point of krb_get_lrealm. I note that it also appears
in
./appl/bsd/login.c
./kadmin/v4server/acl_files.c

But at least these attempt krb_get_lrealm first. Perhaps that's
what decomp_tkt.c should do.

- Booker C. Bense

Show quoted text
>Unformatted:
From: tlyu@mit.edu
Subject: CVS Commit
comment

* decomp_tkt.c (dcmp_tkt_int): Patch from Booker Bense to use
krb_get_lrealm() instead of copying KRB_REALM into prealm.


To generate a diff of this commit:



cvs diff -r1.158 -r1.159 krb5/src/lib/krb4/ChangeLog
cvs diff -r1.12 -r1.13 krb5/src/lib/krb4/decomp_tkt.c