Skip Menu |
 

Date: Thu, 17 May 2012 15:17:57 +1000
From: Michael Morony <michael.morony@exinda.com>
To: krb5-bugs@mit.edu
Subject: S4U2Self using kvno broken in 1.10.1, but not in 1-9.3
Download (untitled) / with headers
text/plain 1.8KiB
I'm using kvno to get some tickets using protocol transition (S4U2Self)
with a Win2k3 KDC.
Essentially I am running the following 3 shell commands

kdestroy
kinit -k -t my_keytab delegate_user
kvno -k my_keytab -U fakeuser -P delegate_user cifs/2008FileServer

Idea being for to get a service ticket for cifs for user "fakeuser".

Version 1.9.3 works fine. (Compiled from MIT source on ubuntu)

output is:
delegate_user@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid
cifs/2008FileServer@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid

Version 1.10.1 does not (Again, compiled from MIT source)

output is:

kvno: Generic preauthentication failure while getting credentials for
delegate_user@TEST.MYDOMAIN.COM
kvno: Generic preauthentication failure while getting credentials for
cifs/2008FileServer@TEST.MYDOMAIN.COM

Reason being : some error code returns have changed in the krb5 lib and
the s4u
code no longer does what it is supposed to, as it can't properly handle
KRB5_PREAUTH_FAILED.

The difference in packet flow is : for 1.9.3 you see AS-REQ, then AS-REP
with preauth required, but it then
goes and does a TGS REQ S4U style as required. For 1.10.1 you just see
two AS-REQ/AS-REP asking for preauth, then it just fails.

The fix below works for me, is there a better way or should it be fixed
elsewhere ?

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index e4cc8a1..dd2c7d0 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -120,7 +120,8 @@ s4u_identify_user(krb5_context context,
&use_master, NULL);
if (code == 0 ||
code == KDC_ERR_PREAUTH_REQUIRED ||
- code == KDC_ERR_PREAUTH_FAILED) {
+ code == KDC_ERR_PREAUTH_FAILED ||
+ code == KRB5_PREAUTH_FAILED) {
*canon_user = userid.user;
userid.user = NULL;
code = 0;
Download (untitled) / with headers
text/plain 1.3KiB
This is a side effect of converting encrypted timestamp from a hardcoded
preauth type handler to a built-in module.

When a hardcoded preauth handler fails (in 1.10 and prior) and it's of
type PA_REAL, it causes a complete failure of the AS exchange and its
error code is passed down to the caller of krb5_get_init_creds. This
allows s4u_creds.c to detect the return value from its gak function.

When a preauth module method fails, its code is ignored and the loop
continues to try other padata items. krb5_do_preauth returns 0 with
got_real == FALSE, which causes init_creds_step_request to return
KRB5_PREAUTH_FAILED, which is not recognized by s4u_creds.c.

The fake gak function's error can still be seen by s4u_creds.c in the
case where the KDC returns an AS reply instead of a preauth-required
error. In that case, get_init_creds invokes the gak function to decrypt
the AS reply and passes its error code down to the caller.

The suggested patch is basically correct. However, two related harmless
bugs should be fixed:

* The fake gak function should return a com_err code (probably
KRB5_PREAUTH_FAILED), not a Kerberos protocol error number.

* There is no point in testing for a KDC_ERR_PREAUTH_REQUIRED return
value, as that is another Kerberos protocol error number and will never
be generated by get_init_creds.
From: ghudson@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.1KiB

Fix S4U user identification in preauth case

In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.

On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.

Reported by Michael Morony.

https://github.com/krb5/krb5/commit/33a64a7f9dc7342880f7a477a8b3447891d20af5
Author: Greg Hudson <ghudson@mit.edu>
Commit: 33a64a7f9dc7342880f7a477a8b3447891d20af5
Branch: master
src/lib/krb5/krb/s4u_creds.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.2KiB

Fix S4U user identification in preauth case

In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.

On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.

Reported by Michael Morony.

(cherry picked from commit 33a64a7f9dc7342880f7a477a8b3447891d20af5)

https://github.com/krb5/krb5/commit/e934d973eb7e43792062ee1a6b4396ca41d0f862
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: e934d973eb7e43792062ee1a6b4396ca41d0f862
Branch: krb5-1.10
src/lib/krb5/krb/s4u_creds.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)