Date: | Thu, 17 May 2012 15:17:57 +1000 |
From: | Michael Morony <michael.morony@exinda.com> |
To: | krb5-bugs@mit.edu |
Subject: | S4U2Self using kvno broken in 1.10.1, but not in 1-9.3 |
I'm using kvno to get some tickets using protocol transition (S4U2Self)
with a Win2k3 KDC.
Essentially I am running the following 3 shell commands
kdestroy
kinit -k -t my_keytab delegate_user
kvno -k my_keytab -U fakeuser -P delegate_user cifs/2008FileServer
Idea being for to get a service ticket for cifs for user "fakeuser".
Version 1.9.3 works fine. (Compiled from MIT source on ubuntu)
output is:
delegate_user@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid
cifs/2008FileServer@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid
Version 1.10.1 does not (Again, compiled from MIT source)
output is:
kvno: Generic preauthentication failure while getting credentials for
delegate_user@TEST.MYDOMAIN.COM
kvno: Generic preauthentication failure while getting credentials for
cifs/2008FileServer@TEST.MYDOMAIN.COM
Reason being : some error code returns have changed in the krb5 lib and
the s4u
code no longer does what it is supposed to, as it can't properly handle
KRB5_PREAUTH_FAILED.
The difference in packet flow is : for 1.9.3 you see AS-REQ, then AS-REP
with preauth required, but it then
goes and does a TGS REQ S4U style as required. For 1.10.1 you just see
two AS-REQ/AS-REP asking for preauth, then it just fails.
The fix below works for me, is there a better way or should it be fixed
elsewhere ?
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index e4cc8a1..dd2c7d0 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -120,7 +120,8 @@ s4u_identify_user(krb5_context context,
&use_master, NULL);
if (code == 0 ||
code == KDC_ERR_PREAUTH_REQUIRED ||
- code == KDC_ERR_PREAUTH_FAILED) {
+ code == KDC_ERR_PREAUTH_FAILED ||
+ code == KRB5_PREAUTH_FAILED) {
*canon_user = userid.user;
userid.user = NULL;
code = 0;
with a Win2k3 KDC.
Essentially I am running the following 3 shell commands
kdestroy
kinit -k -t my_keytab delegate_user
kvno -k my_keytab -U fakeuser -P delegate_user cifs/2008FileServer
Idea being for to get a service ticket for cifs for user "fakeuser".
Version 1.9.3 works fine. (Compiled from MIT source on ubuntu)
output is:
delegate_user@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid
cifs/2008FileServer@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid
Version 1.10.1 does not (Again, compiled from MIT source)
output is:
kvno: Generic preauthentication failure while getting credentials for
delegate_user@TEST.MYDOMAIN.COM
kvno: Generic preauthentication failure while getting credentials for
cifs/2008FileServer@TEST.MYDOMAIN.COM
Reason being : some error code returns have changed in the krb5 lib and
the s4u
code no longer does what it is supposed to, as it can't properly handle
KRB5_PREAUTH_FAILED.
The difference in packet flow is : for 1.9.3 you see AS-REQ, then AS-REP
with preauth required, but it then
goes and does a TGS REQ S4U style as required. For 1.10.1 you just see
two AS-REQ/AS-REP asking for preauth, then it just fails.
The fix below works for me, is there a better way or should it be fixed
elsewhere ?
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index e4cc8a1..dd2c7d0 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -120,7 +120,8 @@ s4u_identify_user(krb5_context context,
&use_master, NULL);
if (code == 0 ||
code == KDC_ERR_PREAUTH_REQUIRED ||
- code == KDC_ERR_PREAUTH_FAILED) {
+ code == KDC_ERR_PREAUTH_FAILED ||
+ code == KRB5_PREAUTH_FAILED) {
*canon_user = userid.user;
userid.user = NULL;
code = 0;