[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.2g issues (might these be fixed in later releases?)

"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net> writes:
> We just went live with heimdal replacing our kaservers today.


> 1. The heimdal KDC doesn't react to expired tickets via krb4.  That is, it 
> completely ignores any Kerberos 4 requests which involve expired tickets, 
> instead of returning an error code and/or logging an error.  This results in 
> telnet/rlogin/ssh/etc. with expired tickets hanging.

When I read the code and try it, it works, and that code hasn't
changed in some time so it should work in 02.g too.  I assume you mean
an APPL_REQUEST?  Here is what I see:

02:08:57.644019 datan.1345 > kdc.kerberos-iv: v4 be APPL_REQUEST: v4 NADA.KTH.SE (56) (32)
02:08:57.655774 kdc.kerberos-iv > datan.1345: v4 be ERR_REPLY: .@ OK Ticket expire [|kerberos]

> 2. klog works, but krb4 tickets generated with klog.krb don't work.  Since 
> #1 applies, I don't get any error messages from either the KDC or the 
> client.  klist doesn't show anything wrong with the tickets.


> 3. heimdal's kadmind used to support krb4 kpasswd; now it gets "Broken pipe" 
> (and again, no error message on the server side).  (hmm, core file:

I think that has been fixed.

> 4. ssh with the AFS+krb4 modifications forwards tickets and tokens.  With 
> the heimdal KDC, token forwarding succeeds but forwarded tickets elicit 
> "Incorrect network address" from the KDC when used (hey, at least this time 
> we *get* an error message :) .  Setting check-ticket-addresses = false in 
> kdc.conf doesn't change this.  While it's not urgent, it would be nice if 
> this worked because otherwise you end up with no tickets on the remote if 
> Kerberos-authenticated.

Ah, check-ticket-addresses is only used in the v5 part of the KDC.
Can you try the appended patch?

> Are #1, #2, and #3 fixed in later versions of heimdal, or should I be 
> digging at the code?

I think we need to figure out why #1 is happening to you, then what's
causing #2, and if you could try later code for #3.


Index: kerberos4.c
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/kdc/kerberos4.c,v
retrieving revision 1.25
diff -u -w -u -w -r1.25 kerberos4.c
--- kerberos4.c	2000/01/12 09:27:50	1.25
+++ kerberos4.c	2000/02/02 01:20:06
@@ -328,6 +328,9 @@
 	memcpy(&auth.dat, buf, pos);
 	auth.length = pos;
 	krb_set_key(tkey->key.keyvalue.data, 0);
+	krb_ignore_ip_address = !check_ticket_addresses;
 	ret = krb_rd_req(&auth, "krbtgt", realm, 
 			 addr->sin_addr.s_addr, &ad, 0);