referrals and canonicalization

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

referrals and canonicalization

Ben Gooley
Hello everyone,

Java just decided to support Kerberos referrals and canonicalization and it
is turned on by default.
This brings up a question about implementation in MIT Kerberos:

Does MIT Kerberos support referrals by default or must canonicalization be
turned on in order to handle referrals?

RFCs seem vague here, so thanks!

Ben

--
*Ben Gooley* | Principal Program Manager
t. +1 (650) 505-5211
cloudera.com <https://www.cloudera.com>

[image: Cloudera] <https://www.cloudera.com/>
[image: Cloudera on Twitter] <https://twitter.com/cloudera> [image:
Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera
on LinkedIn] <https://www.linkedin.com/company/cloudera>
<https://www.cloudera.com/>
------------------------------
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: referrals and canonicalization

Isaac Boukris
On Thu, Feb 27, 2020 at 8:03 PM Ben Gooley <[hidden email]> wrote:
>
> Hello everyone,
>
> Java just decided to support Kerberos referrals and canonicalization and it
> is turned on by default.
> This brings up a question about implementation in MIT Kerberos:
>
> Does MIT Kerberos support referrals by default or must canonicalization be
> turned on in order to handle referrals?

Can you be more specific, what use case exactly do you have in mind.
Roughly, I think in MIT, both client and KDC won't do referrals if the
canonicalize flag was not set on the request, but it is often set
automatically.

BTW, I my opinion, we shouldn't care about the canonicalize flag for
referrals. Windows doesn't seem to really care either (they'll return
both client and server referrals, even with the flag off), I think MS
just abused this flag in RFC 6806 as a generic excuse flag whenever
they deviated from RFC 4120 (while they only use the flag for
canoicalization purposes).
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: referrals and canonicalization

Greg Hudson
In reply to this post by Ben Gooley
On 2/27/20 2:01 PM, Ben Gooley wrote:
> Does MIT Kerberos support referrals by default or must canonicalization be
> turned on in order to handle referrals?

TGS referrals are supported by default, with a fallback to a
non-referral request in some cases.

AS request canonicalization (for initial tickets) must be explicitly
enabled by the caller.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: referrals and canonicalization

Ben Gooley
In reply to this post by Isaac Boukris
Hi Isaac,

Thanks... for reference, Java enabled both referrals and canonicalization
requests by its clients in recent releases of OpenJDK:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8223172

This means that if an upgrade is done and they are using an Active
Directory KDC, hadoop's use of Kerberos breaks because AD returns the
sAMAccountName in reply to the canonicalization.

In any case, part of OpenJDK's move was to align with other distros (like
MIT Kerberos) but they veered off when they supported canonicalization by
default.
We'll likely open a bug with OpenJDK, so I wanted to confirm the behavior
of MIT's implementation as a reference to argue that Java should NOT
canonicalize by default and that it should use krb5.conf's configuration.

Greg just confirmed the behavior I was questioning;  I appreciate the
responses.

Thanks everyone!

On Thu, Feb 27, 2020 at 11:24 AM Isaac Boukris <[hidden email]> wrote:

> On Thu, Feb 27, 2020 at 8:03 PM Ben Gooley <[hidden email]> wrote:
> >
> > Hello everyone,
> >
> > Java just decided to support Kerberos referrals and canonicalization and
> it
> > is turned on by default.
> > This brings up a question about implementation in MIT Kerberos:
> >
> > Does MIT Kerberos support referrals by default or must canonicalization
> be
> > turned on in order to handle referrals?
>
> Can you be more specific, what use case exactly do you have in mind.
> Roughly, I think in MIT, both client and KDC won't do referrals if the
> canonicalize flag was not set on the request, but it is often set
> automatically.
>
> BTW, I my opinion, we shouldn't care about the canonicalize flag for
> referrals. Windows doesn't seem to really care either (they'll return
> both client and server referrals, even with the flag off), I think MS
> just abused this flag in RFC 6806 as a generic excuse flag whenever
> they deviated from RFC 4120 (while they only use the flag for
> canoicalization purposes).
>


--
*Ben Gooley* | Principal Program Manager
t. +1 (650) 505-5211
cloudera.com <https://www.cloudera.com>

[image: Cloudera] <https://www.cloudera.com/>
[image: Cloudera on Twitter] <https://twitter.com/cloudera> [image:
Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera
on LinkedIn] <https://www.linkedin.com/company/cloudera>
<https://www.cloudera.com/>
------------------------------
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: referrals and canonicalization

Isaac Boukris
In reply to this post by Greg Hudson
On Thu, Feb 27, 2020 at 8:32 PM Greg Hudson <[hidden email]> wrote:
>
> AS request canonicalization (for initial tickets) must be explicitly
> enabled by the caller.

IIRC setting canonicalize=yes in krb5.conf also enables it.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: referrals and canonicalization

Isaac Boukris
In reply to this post by Ben Gooley
On Thu, Feb 27, 2020 at 8:36 PM Ben Gooley <[hidden email]> wrote:
>
> Thanks... for reference, Java enabled both referrals and canonicalization requests by its clients in recent releases of OpenJDK:
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8223172

Thanks, interesting read.

(for example, this quote: Principal name changes are allowed in AS-REQ
responses only if 1) *canonicalize* option was set in the AS-REQ
request, 2) PA-REQ-ENC-PA-REP pre-authentication data was sent in the
AS-REQ response (meaning the server supports [RFC 6068][1] FAST
scheme) and 3) the authenticated checksum is correct.)
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos