[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.2g issues (might these be fixed in later releases?)

To: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Subject: Re: heimdal 0.2g issues (might these be fixed in later releases?)
From: Assar Westerlund <assar@sics.se>
Date: 02 Feb 2000 02:23:45 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: "Brandon S. Allbery KF8NH"'s message of "Tue, 01 Feb 2000 19:12:39 -0500"
References: <200002020012.TAA07691@kf8nh.apk.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.4

"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net> writes:
> We just went live with heimdal replacing our kaservers today.

Cool.

> 1. The heimdal KDC doesn't react to expired tickets via krb4.  That is, it 
> completely ignores any Kerberos 4 requests which involve expired tickets, 
> instead of returning an error code and/or logging an error.  This results in 
> telnet/rlogin/ssh/etc. with expired tickets hanging.

When I read the code and try it, it works, and that code hasn't
changed in some time so it should work in 02.g too.  I assume you mean
an APPL_REQUEST?  Here is what I see:

02:08:57.644019 datan.1345 > kdc.kerberos-iv: v4 be APPL_REQUEST: v4 NADA.KTH.SE (56) (32)
02:08:57.655774 kdc.kerberos-iv > datan.1345: v4 be ERR_REPLY: .@ OK Ticket expire [|kerberos]

> 2. klog works, but krb4 tickets generated with klog.krb don't work.  Since 
> #1 applies, I don't get any error messages from either the KDC or the 
> client.  klist doesn't show anything wrong with the tickets.

Weird.

> 3. heimdal's kadmind used to support krb4 kpasswd; now it gets "Broken pipe" 
> (and again, no error message on the server side).  (hmm, core file:

I think that has been fixed.

> 4. ssh with the AFS+krb4 modifications forwards tickets and tokens.  With 
> the heimdal KDC, token forwarding succeeds but forwarded tickets elicit 
> "Incorrect network address" from the KDC when used (hey, at least this time 
> we *get* an error message :) .  Setting check-ticket-addresses = false in 
> kdc.conf doesn't change this.  While it's not urgent, it would be nice if 
> this worked because otherwise you end up with no tickets on the remote if 
> Kerberos-authenticated.

Ah, check-ticket-addresses is only used in the v5 part of the KDC.
Can you try the appended patch?

> Are #1, #2, and #3 fixed in later versions of heimdal, or should I be 
> digging at the code?

I think we need to figure out why #1 is happening to you, then what's
causing #2, and if you could try later code for #3.

/assar

Index: kerberos4.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/kdc/kerberos4.c,v
retrieving revision 1.25
diff -u -w -u -w -r1.25 kerberos4.c
--- kerberos4.c	2000/01/12 09:27:50	1.25
+++ kerberos4.c	2000/02/02 01:20:06
@@ -328,6 +328,9 @@
 	memcpy(&auth.dat, buf, pos);
 	auth.length = pos;
 	krb_set_key(tkey->key.keyvalue.data, 0);
+
+	krb_ignore_ip_address = !check_ticket_addresses;
+
 	ret = krb_rd_req(&auth, "krbtgt", realm, 
 			 addr->sin_addr.s_addr, &ad, 0);
 	if(ret){

Follow-Ups:
- Re: heimdal 0.2g issues (might these be fixed in later releases?)
  - From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>

References:
- heimdal 0.2g issues (might these be fixed in later releases?)
  - From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>

Prev by Date: heimdal 0.2g issues (might these be fixed in later releases?)
Next by Date: Re: heimdal 0.2g issues (might these be fixed in later releases?)
Prev by thread: heimdal 0.2g issues (might these be fixed in later releases?)
Next by thread: Re: heimdal 0.2g issues (might these be fixed in later releases?)
Index(es):
- Date
- Thread