heimdal 0.6.4 KDC v4 support broken?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

heimdal 0.6.4 KDC v4 support broken?

Brandon S Allbery KF8NH-2
Found in kdc/kerberos4.c near line 390 (and this time it's not a local
hack...):

        snprintf (client_name, sizeof(client_name),
                  "%s.%s@%s",
                  ad.pname, ad.pinst, ad.prealm);
        ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
        if(ret != HDB_ERR_NOENTRY ||
           (ret == HDB_ERR_NOENTRY && strcmp(ad.prealm, v4_realm) == 0)) {
            char *s;
            s = kdc_log_msg(0, "Client not found in database: (krb4) "
                            "%s.%s@%s: %s",
                            ad.pname, ad.pinst, ad.prealm,
                            krb5_get_err_text(context, ret));
            make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
            free(s);
            goto out2;
        }

This seems a bit wrong; it loses with "Client not found in database:
(krb4) ... : Error 0" for valid clients.  (And the second condition
seems even more wrong.)

I note that 0.6.3 had similar code with a simpler condition... wrapped
in "#if 0".

--
brandon s. allbery   [linux,solaris,freebsd,perl]      [hidden email]
system administrator      [WAY too many hats]        [hidden email]
electrical and computer engineering, carnegie mellon univ.         KF8NH

Reply | Threaded
Open this post in threaded view
|

Re: heimdal 0.6.4 KDC v4 support broken?

Brandon S Allbery KF8NH-2
On Fri, 2005-05-27 at 13:50 -0400, Brandon S. Allbery KF8NH wrote:
> if(ret != HDB_ERR_NOENTRY ||
>   (ret == HDB_ERR_NOENTRY && strcmp(ad.prealm, v4_realm) == 0)) {

> This seems a bit wrong; it loses with "Client not found in database:
> (krb4) ... : Error 0" for valid clients.  (And the second condition
> seems even more wrong.)

Okay, never mind that last; I figured out it's saying "not found and not
supposed to be referred elsewhere" or something like that.  The actual
fix is to wrap the whole thing in if (ret) { ... } .

--
brandon s. allbery   [linux,solaris,freebsd,perl]      [hidden email]
system administrator      [WAY too many hats]        [hidden email]
electrical and computer engineering, carnegie mellon univ.         KF8NH

Reply | Threaded
Open this post in threaded view
|

Re: heimdal 0.6.4 KDC v4 support broken?

Thomas Kula
In reply to this post by Brandon S Allbery KF8NH-2
On Fri, May 27, 2005 at 01:50:35PM -0400, Brandon S. Allbery KF8NH wrote:

> Found in kdc/kerberos4.c near line 390 (and this time it's not a local
> hack...):
>
> snprintf (client_name, sizeof(client_name),
>  "%s.%s@%s",
>  ad.pname, ad.pinst, ad.prealm);
> ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
> if(ret != HDB_ERR_NOENTRY ||
>   (ret == HDB_ERR_NOENTRY && strcmp(ad.prealm, v4_realm) == 0)) {
>    char *s;
>    s = kdc_log_msg(0, "Client not found in database: (krb4) "
>    "%s.%s@%s: %s",
>    ad.pname, ad.pinst, ad.prealm,
>    krb5_get_err_text(context, ret));
>    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
>    free(s);
>    goto out2;
> }
>
> This seems a bit wrong; it loses with "Client not found in database:
> (krb4) ... : Error 0" for valid clients.  (And the second condition
> seems even more wrong.)
>
> I note that 0.6.3 had similar code with a simpler condition... wrapped
> in "#if 0".

This was causing problems with zephyr for me 10 days ago, changing

--- kdc/kerberos4.c.orig        2005-05-17 19:07:12.000000000 -0500
+++ kdc/kerberos4.c     2005-05-17 19:08:22.000000000 -0500
@@ -387,7 +387,7 @@
                  "%s.%s@%s",
                  ad.pname, ad.pinst, ad.prealm);
        ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
-       if(ret != HDB_ERR_NOENTRY ||
+       if(ret == HDB_ERR_NOENTRY ||
           (ret == HDB_ERR_NOENTRY && strcmp(ad.prealm, v4_realm) == 0)) {
            char *s;
            s = kdc_log_msg(0, "Client not found in database: (krb4) "

seemed to make sense to me (and it started working). This is my first
time trolling through heimdal, so the second bit doesn't make much sense
to me and I left it alone. I haven't looked at 0.7rc1 to see if it
works or not.


--
Thomas L. Kula | [hidden email] | http://www.madscientistresearch.net
Mathom House upon the Canw, The People's Republic of Ames
Reply | Threaded
Open this post in threaded view
|

Re: heimdal 0.6.4 KDC v4 support broken?

Thomas Kula
On Fri, May 27, 2005 at 07:46:04PM -0500, Academician Kula wrote:

> --- kdc/kerberos4.c.orig        2005-05-17 19:07:12.000000000 -0500
> +++ kdc/kerberos4.c     2005-05-17 19:08:22.000000000 -0500
> @@ -387,7 +387,7 @@
>                   "%s.%s@%s",
>                   ad.pname, ad.pinst, ad.prealm);
>         ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
> -       if(ret != HDB_ERR_NOENTRY ||
> +       if(ret == HDB_ERR_NOENTRY ||
>            (ret == HDB_ERR_NOENTRY && strcmp(ad.prealm, v4_realm) == 0)) {
>             char *s;
>             s = kdc_log_msg(0, "Client not found in database: (krb4) "
>
> seemed to make sense to me (and it started working). This is my first
> time trolling through heimdal, so the second bit doesn't make much sense
> to me and I left it alone. I haven't looked at 0.7rc1 to see if it
> works or not.

As Brandon Allbery pointed out to me, this means that you lose any
other number of return values db_fetch4 can return, so it shouldn't
be used.

--
Thomas L. Kula | [hidden email] | http://www.madscientistresearch.net
Mathom House upon the Canw, The People's Republic of Ames
Reply | Threaded
Open this post in threaded view
|

Re: heimdal 0.6.4 KDC v4 support broken?

Love Hörnquist Åstrand
In reply to this post by Thomas Kula

Academician Kula <[hidden email]> writes:

> seemed to make sense to me (and it started working). This is my first
> time trolling through heimdal, so the second bit doesn't make much sense
> to me and I left it alone. I haven't looked at 0.7rc1 to see if it
> works or not.

This bug is fixed in 0.7rc1 and the 0.6 snapshot on the ftp-site, I was
planing to release 0.6.5 at the same time as 0.7 to fix both problem.

Personally, I'm happy to see that Kerberos 4 seems to be in it death bed
and almost no-one seems miss it. This shouldn't stop you all from sending
bug reports to us regarding heimdals krb4/ka integeration.

Love


attachment0 (487 bytes) Download Attachment