[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Different Heimdal/MIT behaviour of krb5_get_credentials ?

To: heimdal-discuss@sics.se
Subject: Different Heimdal/MIT behaviour of krb5_get_credentials ?
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Thu, 31 May 2007 19:25:17 +0100
Cc: kerberos@mit.edu
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, "Markus Moeller" <huaraz@moeller.plus.com>
Sender: news <news@sea.gmane.org>

I have a AD forest with MM.COM with domains DOM1.MM.COM,DOM2.MM.COM and 
SUB.DOM2.MM.COM which all trust each other. To test the availability of 
service tickets I created the following short program:

#include <string.h>
#include <stdio.h>
#include <krb5.h>
#ifndef HEIMDAL
#include <com_err.h>
#endif

int main(int argc, char **argv) {
krb5_creds creds;
krb5_creds * new_creds = 0;
krb5_error_code kret;
krb5_ccache ccache;
krb5_context kcontext = 0;
char* hostname,*service;

if (argc<3) {
fprintf(stderr, "Usage: %s hostname service [enctype]\n",argv[0]);
return(1);
}

hostname = strdup(argv[1]);
service = strdup(argv[2]);

kret = krb5_init_context(&kcontext);
if (kret) {
com_err(argv[0], kret,"while initialising context");
return(-1);
}

if ((kret = krb5_cc_default(kcontext, &ccache))) {
com_err(argv[0], kret,"while initialising ccache");
return(-1);
}

memset((char *)&creds, 0, sizeof(creds));

if ((kret = krb5_sname_to_principal(kcontext, hostname,service, 
KRB5_NT_SRV_HST,&creds.server))) {
com_err(argv[0], kret,"while initialising server creds");
return(-1);
}

if ((kret = krb5_cc_get_principal(kcontext, ccache,&creds.client))) {
krb5_free_cred_contents(kcontext, &creds);
com_err(argv[0], kret,"while reading principal from ccache");
return(-1);
}

#ifdef HEIMDAL
creds.session.keytype=ENCTYPE_DES_CBC_MD5;
if (argc == 4) {
creds.session.keytype=atoi(argv[3]);
}
#else
creds.keyblock.enctype=ENCTYPE_DES_CBC_MD5;
if (argc == 4) {
creds.keyblock.enctype=atoi(argv[3]);
}
#endif

if ((kret = krb5_get_credentials(kcontext, 0,ccache, &creds, &new_creds))) {
krb5_free_cred_contents(kcontext, &creds);
com_err(argv[0], kret,"while getting credentials");
return(-1);
}
}

Now I try to get a  krbtgt ticket for SUB.DOM2.MM.COM as user 
markus@DOM1.MM.COM
With Heimdal it works fine and I get the list of intermediate tickets, but 
when I use MIT I get an error message:

Server not found in Kerberos database while getting credentials

Does the MIT code canonicalise the name in creds.server principal ?

Thanks
Markus
# kinit
markus@DOM1.MM.COM's Password:
Your password/account will expire at Sun Jun  3 00:50:39 2007

kinit: NOTICE: ticket renewable lifetime is 1 week
# ./get_service_ticket SUB.DOM2.MM.COM krbtgt
# klist -v
Credentials cache: FILE:/tmp/krb5cc_75228
        Principal: markus@DOM1.MM.COM
    Cache version: 4

Server: krbtgt/DOM1.MM.COM@DOM1.MM.COM
Ticket etype: arcfour-hmac-md5, kvno 1
Auth time:  May 31 14:32:06 2007
End time:   Jun  1 00:32:06 2007
Renew till: Jun  7 14:32:06 2007
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1

Server: krbtgt/MM.COM@DOM1.MM.COM
Ticket etype: arcfour-hmac-md5
Auth time:  May 31 14:32:06 2007
Start time: May 31 14:32:14 2007
End time:   Jun  1 00:32:06 2007
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1

Server: krbtgt/DOM2.MM.COM@MM.COM
Ticket etype: arcfour-hmac-md5
Auth time:  May 31 14:32:06 2007
Start time: May 31 14:32:14 2007
End time:   Jun  1 00:32:06 2007
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1

Server: krbtgt/SUB.DOM2.MM.COM@DOM2.MM.COM
Ticket etype: arcfour-hmac-md5
Auth time:  May 31 14:32:06 2007
Start time: May 31 14:32:14 2007
End time:   Jun  1 00:32:06 2007
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1

Server: krbtgt/sub.dom2.mm.com@SUB.DOM2.MM.COM
Ticket etype: des-cbc-md5, kvno 1
Auth time:  May 31 14:32:06 2007
Start time: May 31 14:32:15 2007
End time:   Jun  1 00:32:06 2007
Ticket flags: pre-authenticated
Addresses: IPv4:10.128.55.23, IPv4:172.16.155.1

# kinit
markus@DOM1.MM.COM's Password:
Your password/account will expire at Sun Jun  3 00:50:39 2007

kinit: NOTICE: ticket renewable lifetime is 1 week

# ./get_service_ticket_mit SUB.DOM2.MM.COM krbtgt
./get_service_ticket_mit: Server not found in Kerberos database while 
getting credentials
# klist -e
Ticket cache: FILE:/tmp/krb5cc_75228
Default principal: markus@DOM1.MM.COM

Valid starting     Expires            Service principal
05/31/07 12:46:31  05/31/07 22:46:31  krbtgt/DOM1.MM.COM@DOM1.MM.COM
        renew until 06/07/07 12:46:31, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5

Follow-Ups:
- Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?
  - From: Ken Raeburn <raeburn@mit.edu>

Prev by Date: Re: add --rand xxxxxxxx
Next by Date: Re: add --rand xxxxxxxx
Prev by thread: Re: KRB5 context is not updated when starting a new Apache session(using mod_auth_kerb)
Next by thread: Re: Different Heimdal/MIT behaviour of krb5_get_credentials ?
Index(es):
- Date
- Thread