Skip Menu |
 

From: Andrea Campi <andrea.campi@gmail.com>
Date: Mon, 16 Jun 2014 12:28:41 -0700
Subject: -r option to krb5kdc does not work
To: krb5-bugs@MIT.EDU
The check for the return value of find_realm_data at https://github.com/krb5/krb5/blob/master/src/kdc/main.c#L691 is reversed, with the result that no valid realm with ever pass validation. Worse, it will be silently ignored, only to fail later when looking for the master key.

This has been there since 1995 :D

https://github.com/krb5/krb5/commit/36b0618997fd316a4f8fff8878c12e30839606a6


If krb5kdc -r has really been broken since inception, we should think
about whether we want to fix it, remove it, or replace it with the
ability to serve multiple realms out of the same DB. The best answer may
be "fix it"; if so, we should add automated tests to make sure it stays
fixed.
From: Andrea Campi <andrea.campi@gmail.com>
Date: Mon, 16 Jun 2014 15:49:19 -0700
Subject: Re: [krbdev.mit.edu #7945] -r option to krb5kdc does not work
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
I've been debugging this some more and it's only partially broken, but not in the way I thought.

I fundamentally misunderstood the way that -r works here (adding extra realms by collecting other arguments); the line I pointed to actually makes sense.
And it actually works... as long as you don't specify a -w.

Passing -w causes the parent to fork, and each child to rerun through initialize_realms, which ends up parsing argv again.
But it uses getopt(): the children will have optind > 1, so they will never see the arguments.



On Mon, Jun 16, 2014 at 3:39 PM, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
If krb5kdc -r has really been broken since inception, we should think
about whether we want to fix it, remove it, or replace it with the
ability to serve multiple realms out of the same DB.  The best answer may
be "fix it"; if so, we should add automated tests to make sure it stays
fixed.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

From: Andrea Campi <andrea.campi@gmail.com>
Date: Mon, 16 Jun 2014 15:49:19 -0700
Subject: Re: [krbdev.mit.edu #7945] -r option to krb5kdc does not work
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
I've been debugging this some more and it's only partially broken, but not in the way I thought.

I fundamentally misunderstood the way that -r works here (adding extra realms by collecting other arguments); the line I pointed to actually makes sense.
And it actually works... as long as you don't specify a -w.

Passing -w causes the parent to fork, and each child to rerun through initialize_realms, which ends up parsing argv again.
But it uses getopt(): the children will have optind > 1, so they will never see the arguments.



On Mon, Jun 16, 2014 at 3:39 PM, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
If krb5kdc -r has really been broken since inception, we should think
about whether we want to fix it, remove it, or replace it with the
ability to serve multiple realms out of the same DB.  The best answer may
be "fix it"; if so, we should add automated tests to make sure it stays
fixed.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

Subject: krb5kdc -w and -r do not work together
I think the fix is as simple as setting "optind = 1;" before the getopt
loop. Does that work for you?
From: Andrea Campi <andrea.campi@gmail.com>
Date: Tue, 17 Jun 2014 09:29:50 -0700
Subject: Re: [krbdev.mit.edu #7945] krb5kdc -w and -r do not work together
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
That's exactly what I did, that works nicely.


On Tue, Jun 17, 2014 at 9:27 AM, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
I think the fix is as simple as setting "optind = 1;" before the getopt
loop.  Does that work for you?
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

From: Andrea Campi <andrea.campi@gmail.com>
Date: Tue, 17 Jun 2014 09:29:50 -0700
Subject: Re: [krbdev.mit.edu #7945] krb5kdc -w and -r do not work together
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
That's exactly what I did, that works nicely.


On Tue, Jun 17, 2014 at 9:27 AM, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
I think the fix is as simple as setting "optind = 1;" before the getopt
loop.  Does that work for you?
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

From: ghudson@mit.edu
Subject: git commit

Fix KDC worker process argument parsing

To create worker processes, the KDC shuts down realms, forks off the
worker processes, then reinitializes realms in each child.
Reinitializing realms requires making a second pass over the
command-line arguments. To do this with getopt, optind must be
reinitialized to 1 for each pass; otherwise, no options will be seen
the second time around.

https://github.com/krb5/krb5/commit/1776fd19120d230115527febbd22979eb64ee1ff
Author: Greg Hudson <ghudson@mit.edu>
Commit: 1776fd19120d230115527febbd22979eb64ee1ff
Branch: master
src/kdc/main.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix KDC worker process argument parsing

To create worker processes, the KDC shuts down realms, forks off the
worker processes, then reinitializes realms in each child.
Reinitializing realms requires making a second pass over the
command-line arguments. To do this with getopt, optind must be
reinitialized to 1 for each pass; otherwise, no options will be seen
the second time around.

(cherry picked from commit 1776fd19120d230115527febbd22979eb64ee1ff)

https://github.com/krb5/krb5/commit/d749fa1a6442a920592d34a8f43aa857a56be044
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: d749fa1a6442a920592d34a8f43aa857a56be044
Branch: krb5-1.12
src/kdc/main.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)