Skip Menu |
 

Download (untitled) / with headers
text/plain 7.1KiB
From root@bitty.cacr.caltech.edu Tue Jun 29 15:38:41 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA29717 for <bugs@RT-11.MIT.EDU>; Tue, 29 Jun 1999 15:38:40 -0400
Received: from bitty.cacr.caltech.edu by MIT.EDU with SMTP
id AA13359; Tue, 29 Jun 99 15:38:00 EDT
Received: (from root@localhost) by bitty.cacr.caltech.edu (AIX4.2/UCB 8.7/8.7) id MAA19166; Tue, 29 Jun 1999 12:38:38 -0700 (PDT)
Message-Id: <199906291938.MAA19166@bitty.cacr.caltech.edu>
Date: Tue, 29 Jun 1999 12:38:38 -0700 (PDT)
From: patton@cacr.caltech.edu
Reply-To: patton@cacr.caltech.edu
To: krb5-bugs@MIT.EDU
Cc: patton@cacr.caltech.edu
Subject: krb5-clients : error with kinit (AIX/DCE)
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 731
>Category: krb5-libs
>Synopsis: kinit gets ASN.1 missing field when using a DCE security server
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Jun 29 15:39:01 EDT 1999
>Last-Modified: Thu Sep 13 23:35:57 EDT 2001
>Originator: James Patton
>Organization:
Caltech

Show quoted text
>Release: krb5-1.0.6
>Environment:
IBM 7015-R24, AIX 4.2.1, IBM C compiler 3.1.3.8
System: AIX bitty 2 4 000027948200


Show quoted text
>Description:
kinit fails with the following error message:
kinit: ASN.1 structure is missing a required field while getting
initial credentials
I'm using a DCE security server as the KDC. It is the IBM
DCE package "dce.security.rte" at level 2.1.0.24
(based on DCE 1.1)

Under the debugger, I found that the area creating the error is:
asn1_decode_kdc_rep() line 498 in "asn1_k_decode.c"
decode_krb5_as_rep(), line 311 in "krb5_decode.c"
send_as_request(), line 154 in "get_in_tkt.c"
krb5_get_in_tkt(), line 452 in "get_in_tkt.c"
krb5_get_in_tkt_with_password(), line 123 in "in_tkt_pwd.c"
main(), line 335 in "kinit.c"

The command is:
get_field(val->enc_part,6,asn1_decode_encrypted_data);
There appears to be no tag number 6 in the returned packet.
(The tag number after reading tag 5 is 2147483647)

I've tried building previous versions of Kerberos, including
1.0.5. None of these produce this error, and I am able to acquire
tickets. (I haven't been able to use these earlier versions because
of other problems I'm having with them.)

Here is the /etc/krb5.conf file I'm using:

[libdefaults]
ticket_lifetime = 600
default_realm = cacr.caltech.edu
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
kdc_req_checksum_type = 2
ap_req_checksum_type = 2
safe_checksum_type = 3
ccache_type = 2

[realms]
cacr.caltech.edu = {
kdc = hpssctrl.cacr.caltech.edu:88
admin_server = hpssctrl.cacr.caltech.edu:88
default_domain = cacr.caltech.edu
}

[domain_realm]
cacr.caltech.edu = cacr.caltech.edu


Show quoted text
>How-To-Repeat:
Execute kinit

Show quoted text
>Fix:

Show quoted text
>Audit-Trail:

From: Tom Yu <tlyu@MIT.EDU>
To: patton@cacr.caltech.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-clients/731: krb5-clients : error with kinit (AIX/DCE)
Date: Wed, 30 Jun 1999 00:27:52 -0400 (EDT)

I'm working on this... it's fairly tricky; some code that we added to
the ASN.1 decoders for krb5-1.0.6 results in the (non-standard)
indefinite-length encoding used by the DCE KDC being handled
incorrectly.

BTW, your kerberos server returns the response packet from a differnet
IP address than it received the request on, which is confusing.

---Tom

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: raeburn
Responsible-Changed-When: Thu Jul 1 18:00:25 1999
Responsible-Changed-Why:

Tom's "Mr. ASN.1" these days. :-)

State-Changed-From-To: open-analyzed
State-Changed-By: raeburn
State-Changed-When: Thu Jul 1 18:18:00 1999
State-Changed-Why:

Tom gave a description of the problem (above), and is working on a
decoder patch that will handle both trailing-field skipping and
indefinite-length encoding (both of which are non-standard, BTW).


From: "James M. Patton" <patton@cacr.caltech.edu>
To: Tom Yu <tlyu@MIT.EDU>
Cc: patton@cacr.caltech.edu
Subject: Re: krb5-clients/731: krb5-clients : error with kinit (AIX/DCE)
Date: Tue, 29 Jun 1999 21:43:09 -0700

Show quoted text
> BTW, your kerberos server returns the response packet from a differnet
> IP address than it received the request on, which is confusing.

It's a rather odd situation. That machine, along with the others
running HPSS (High Performance Storage System) are nodes in an SP2.
The internal Ethernet network used by the SP2 control systems is
only 10 Mb/s, but that is where the hostnames are assigned.
This host is spin29. I've added 100 Mb/s cards to these nodes.
This hosts 100 Mb/s interface is hpssctrl. I've tried to force all
DCE traffic over the 100 Mb/s interface by adding:
RPC_UNSUPPORTED_NETIFS=en0:css0
to the startup environment. (en0 is the 10 Mb/s and css0 is the
SP2 high-speed switch)

did you see the response come back from spin29 instead of hpssctrl?

-James



From: "James M. Patton" <patton@cacr.caltech.edu>
To: Tom Yu <tlyu@MIT.EDU>
Cc: patton@cacr.caltech.edu
Subject: Re: krb5-clients/731: krb5-clients : error with kinit (AIX/DCE)
Date: Thu, 01 Jul 1999 16:16:58 -0700

Should I try working with krb5-1.0.5 for now?

Thanks,
-James



From: Tom Yu <tlyu@MIT.EDU>
To: "James M. Patton" <patton@cacr.caltech.edu>
Cc: Tom Yu <tlyu@MIT.EDU>, krb5-bugs@MIT.EDU
Subject: Re: krb5-clients/731: krb5-clients : error with kinit (AIX/DCE)
Date: Thu, 1 Jul 1999 19:30:56 -0400 (EDT)

Show quoted text
>>>>> "patton" == James M Patton <patton@cacr.caltech.edu> writes:

Show quoted text
patton> did you see the response come back from spin29 instead of
patton> hpssctrl?

Yes, I saw the response come back from 131.215.148.124, which was
confusing on my end.

---Tom

From: Tom Yu <tlyu@MIT.EDU>
To: "James M. Patton" <patton@cacr.caltech.edu>
Cc: Tom Yu <tlyu@MIT.EDU>, krb5-bugs@MIT.EDU
Subject: Re: krb5-clients/731: krb5-clients : error with kinit (AIX/DCE)
Date: Thu, 1 Jul 1999 19:32:53 -0400 (EDT)

Show quoted text
>>>>> "patton" == James M Patton <patton@cacr.caltech.edu> writes:

Show quoted text
patton> Should I try working with krb5-1.0.5 for now?

Try applying the following patch. It fixes the indefinite-length
problem but doesn't skip extra fields if there is an indefinite-length
encoding, which probably isn't an issue for you.

---Tom

Index: asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.15
retrieving revision 5.16
diff -u -r5.15 -r5.16
--- asn1buf.c 1998/10/30 02:54:57 5.15
+++ asn1buf.c 1999/07/01 00:38:28 5.16
@@ -93,7 +93,15 @@
asn1buf * buf;
asn1buf * subbuf;
{
- buf->next = subbuf->bound + 1;
+ if (subbuf->bound != buf->bound) {
+ buf->next = subbuf->bound + 1;
+ } else {
+ /*
+ * indefinite length; this will suck
+ * XXX - need to skip fields somehow
+ */
+ buf->next = subbuf->next;
+ }
}

asn1_error_code asn1buf_destroy(buf)

State-Changed-From-To: analyzed-closed
State-Changed-By: tlyu
State-Changed-When: Thu Sep 13 23:35:35 2001
State-Changed-Why:
fixed in later releases

Show quoted text
>Unformatted: