Skip Menu |
 

History Show all quoted textShow full headers
# Sun Mar 28 12:36:21 2021 ghudson@mit.edu (Greg Hudson) - Ticket created
To: rt@krbdev.mit.edu
Date: Sun, 28 Mar 2021 12:36:21 -0400
Subject: KCM interop issue with KRB5_TC_ flags
From: ghudson@mit.edu
Download (untitled) / with headers
text/html 560B
MIT krb5 defines KRB5_TC_ flag bits from 0x1 to 0x200.  Heimdal defines them from 1<<31 to 1<<22 so that the same flag word can also contain KRB5_GC_ flags (see lib/krb5/get_cred.c:check_cc() for instance).

In the KCM protocol, flag words containing KRB5_TC_ flag bits are used in the RETRIEVE and REMOVE_CRED operations.  We don't currently use RETRIEVE, but we do use REMOVE_CRED.  If any flags are specified for this operation, Heimdal/Apple KCM servers won't see our flags and sssd won't see their flags.
# Sun Mar 28 12:43:35 2021 ghudson@mit.edu (Greg Hudson) - Queue changed from #4 to krb5
# Wed Mar 31 02:31:06 2021 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'
# Wed Mar 31 02:31:06 2021 ghudson@mit.edu (Greg Hudson) - Taken
# Wed Mar 31 02:31:06 2021 ghudson@mit.edu (Greg Hudson) - Correspondence added
Subject: git commit
From: ghudson@mit.edu
Download (untitled) / with headers
text/plain 631B

Fix KCM flag transmission for remove_cred

MIT krb5 uses low bits for KRB5_TC flags, while Heimdal uses high bits
so that the same flag word can also hold KRB5_GC flags. Add a mapping
function and send the Heimdal flag values when performing a
remove_cred operation.

https://github.com/krb5/krb5/commit/11a82cf424f9c905bb73680c64524f087090d4ef
Author: Greg Hudson <ghudson@mit.edu>
Commit: 11a82cf424f9c905bb73680c64524f087090d4ef
Branch: master
src/include/kcm.h | 19 +++++++++++++++++++
src/lib/krb5/ccache/cc_kcm.c | 36 +++++++++++++++++++++++++++++++++++-
2 files changed, 54 insertions(+), 1 deletions(-)
# Mon Mar 21 21:17:45 2022 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.20 added