Skip Menu |
 

Subject: kinit -C loops chasing realm referrals against MIT KDC
Commit 3093b92734adfe2deb9ad6bad5a221acc967fd8b (ticket #7856) treats
PRINCIPAL_UNKNOWN errors as AS realm referrals if the client realm is
set, to work around the behavior of the Windows Server 2003 KDC.

This change introduced a looping bug against MIT KDCs, which always set
the client principal and realm in error responses, if an unknown
principal is requested. To fix this bug, the client needs to check
that the client realm is different from the requested realm before
treating the response as a realm referral.
From: ghudson@mit.edu
Subject: git commit

Do not loop on principal unknown errors

If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.

Check that this is really a referral by testing that the returned
client realm differs from the requested one.

[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]

https://github.com/krb5/krb5/commit/d5755694b620570defeecee772def90a2733c6cc
Author: Simo Sorce <simo@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d5755694b620570defeecee772def90a2733c6cc
Branch: master
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 files changed, 13 insertions(+), 27 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add test for kinit -C WRONG_REALM response

https://github.com/krb5/krb5/commit/c0778ab2252ece4c3510788d9b72f7f5e3bb05dd
Author: Greg Hudson <ghudson@mit.edu>
Commit: c0778ab2252ece4c3510788d9b72f7f5e3bb05dd
Branch: master
src/tests/t_general.py | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Do not loop on principal unknown errors

If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.

Check that this is really a referral by testing that the returned
client realm differs from the requested one.

[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]

(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)

https://github.com/krb5/krb5/commit/a4d6afb74adcd1b0f0078f7a2891ddc9d51927bc
Author: Simo Sorce <simo@redhat.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: a4d6afb74adcd1b0f0078f7a2891ddc9d51927bc
Branch: krb5-1.13
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 files changed, 13 insertions(+), 27 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Add test for kinit -C WRONG_REALM response

(cherry picked from commit c0778ab2252ece4c3510788d9b72f7f5e3bb05dd)

https://github.com/krb5/krb5/commit/3e3a1a7d7d2a0ddb0866f21d12ebcc9063a6221d
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 3e3a1a7d7d2a0ddb0866f21d12ebcc9063a6221d
Branch: krb5-1.13
src/tests/t_general.py | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)