Skip Menu |
 

Subject: iprop can choose wrong realm
The incremental propagation code can fail if either:

* The configured default realm does not match the realm being
propagated (even if the -r option is used to specify a realm)

* The slave hostname has a configured mapping for a different realm
than the realm being propagated.

These problems chiefly arise from the use of krb5_sname_to_principal()
in kprop and kpropd.

See also this thread:

http://mailman.mit.edu/pipermail/kerberos/2015-November/021025.html
Download (untitled) / with headers
text/plain 1.1KiB
The following parts of the code need to be modified to always use the
correct realm:

* kprop.c:get_tickets(), which currently uses sn2princ on the local
hostname, and substitutes the default realm (not the -r realm value)
if it gets back the referral realm. That function also uses sn2princ
on the server hostname, but ignores the realm as it is making an AS
request.

* kpropd.c:do_iprop(), which currently uses krb5_get_default_realm()
to look up the master service principal, ignoring the -r realm value.
It also uses sn2princ on the local hostname, substituting the default
realm (again, not the -r realm value) if it gets back the referral
realm.

* kpropd.c:parse_args(), which currently uses sn2princ on the local
hostname, and substitutes the -r realm value if given. If it gets
back the referral realm and no -r realm value is given, the server
principal will have no realm.

We are adding krb5_expand_hostname() from Heimdal, but (a) the
initial solution to this bug should probably not use a new API so
that it can be backported, and (b) we really want an sn2princ-like
API for most of these parts of the code, just not with the realm
lookup.
Another option would be to migrate towards using the krbtgt principal
to authenticate. (This would essentially require using the KDB keytab
as suggested in #8299.) Such a change would greatly simplify the setup
required for propagation, but would present transition issues.
From: Russ Allbery <eagle@eyrie.org>
To: krb5-bugs@mit.edu
Subject: Multiple incremental propagation issues hosting non-default realms
Date: Wed, 23 Dec 2015 16:19:10 -0800
Download (untitled) / with headers
text/plain 2.4KiB
For various reasons (development realms, separate realms for users and
machines), I frequently want to host a Kerberos realm on a system that has
some other realm as its default realm. This generally works well if one
remembers to add -r <realm> flags to krb5kdc, kadmind, and all kadmin and
related local commands.

However, when trying to also use incremental replication, I ran into
several related issues. Not sure if this is all one bug or several bugs,
so starting with one bug and letting you clone if desired. All of these
problems have the same root cause: realm information given on the command
line doesn't propagate into all the places it needs to.

1. kpropd does not use the -r <realm> flag when deciding what KDC
configuration to read, and therefore does not get the correct stanza in
/etc/krb5kdc/kdc.conf. The usual symptom is that it doesn't pick up
iprop_enable setting and just listens to normal network connections.
Workaround: Create separate krb5.conf file with the default realm set
to the served realm and using KRB5_CONFIG to redirect kpropd to that
config file.

2. When a new replica needs a full replication, kadmind does not pass the
realm information from its command-line -r <realm> flag to kdb5_util
to generate a dump of the database. kdb5_util therefore fails, and the
replica end stalls waiting for a full replication. Workaround: Create
a wrapper that sets KRB5_CONFIG as above and then execs kdb5_util, and
tell kadmind to use that wrapper with the -p flag.

3. Once you get past kdb5_util, kprop run by kadmind has the same issue.
I used the same fix and the -K option, plus disabling normal
domain-realm mapping and forcing all hosts into the served realm in
that secondary configuration, and then added a host/<hostname> keytab
in the served realm to /etc/krb5.keytab on the replica. I'm not sure
if there's a simpler approach using cross-realm authentication.

Incidentally, the error reporting on the kadmind side is horrid. With the
kdb5_util problem above, the only error reporting in the logs was:

Dec 23 22:34:43 dfw3b-rm1-1a kadmind[70510]: iprop_full_resync_1: pclose(popen) failed: No such file or directory

which actually means "kdb5_util died with some error message nothing
captured." Once kdb5_util was fixed, failures in kprop resulted in no log
messages whatsoever on either side. I had to use strace to figure out
what was failing.

--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
One more problem (identified by PR #428): kpropd must set the context
realm with krb5_set_default_realm(), or ulog_replay() won't open the
correct DB.
From: ghudson@mit.edu
Subject: git commit

Fix kprop and kpropd realm handling

Add the sn2princ_with_realm() helper function (currently duplicated in
kprop.c and kpropd.c) to simplify principal realm substitution. Use
sn2princ_with_realm() in kprop.c and kpropd.c in place of
krb5_sname_to_principal(), with the default realm if -r is not provided.
If a realm is given to kpropd, set it as the default realm on the
kpropd_context, allowing a later call of ulog_replay() to open the
correct database.

Remove referral realm code in kprop.c and kpropd.c. Pass the realm
(default or provided) to the kdb5_util and kprop commands called by
kadmind.

https://github.com/krb5/krb5/commit/0e7b4c901bf475f61b74ca56363089906e324272
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 0e7b4c901bf475f61b74ca56363089906e324272
Branch: master
src/kadmin/server/ipropd_svc.c | 15 +++---
src/slave/kprop.c | 80 +++++++++++++++++++++-------------
src/slave/kpropd.c | 93 ++++++++++++++++++++++-----------------
3 files changed, 109 insertions(+), 79 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add kprop and iprop default_realm tests

Add tests to t_iprop.py and t_kprop.py that exercise cases where
default_realm and domain_realm maps differ, as well as overriding the
default realm with the -r argument. This includes the testing of -r
with kadmind, and an update of expected ulog numbers for tests following
the addition of an incremental test. Also refactor some common code in
t_kprop.py to use in the new tests.

https://github.com/krb5/krb5/commit/972ccb9205c28a1177853ad748aea1387ac15fde
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 972ccb9205c28a1177853ad748aea1387ac15fde
Branch: master
src/tests/t_iprop.py | 114 +++++++++++++++++++++++++++++++++++++++----------
src/tests/t_kprop.py | 77 ++++++++++++++++++++++++++++-----
2 files changed, 155 insertions(+), 36 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix argument order for kprop debug message

https://github.com/krb5/krb5/commit/e76c5f0b08da7129746fc8549c9a01d0af8d9ffa
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e76c5f0b08da7129746fc8549c9a01d0af8d9ffa
Branch: master
src/kadmin/server/ipropd_svc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)