[27978] in Kerberos

home help back first fref pref prev next nref lref last post

probem with SALT_TYPE_AFS_LENGTH or "Password incorrect while getting

daemon@ATHENA.MIT.EDU (Mike Becher)
Tue Jun 26 06:59:25 2007

Date: Tue, 26 Jun 2007 12:58:52 +0200 (CEST)
From: Mike Becher <Mike.Becher@lrz-muenchen.de>
To: kerberos@mit.edu
Message-Id: <Pine.LNX.4.61.0706260732220.14159@lxmbe02.lrz.lrz-muenchen.de>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323584-1678412148-1182840090=:14159"
Content-ID: <Pine.LNX.4.61.0706260843200.14159@lxmbe02.lrz.lrz-muenchen.de>
Errors-To: kerberos-bounces@mit.edu

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--8323584-1678412148-1182840090=:14159
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.61.0706260843201.14159@lxmbe02.lrz.lrz-muenchen.de>

Hi *,

I've compiled and installed krb5-1.6.1 on different platforms (i586, ia64, 
and x86_64) on our Linux cluster. On i586 and x86_64 it works from the 
scratch. But on Linux ia64 it doesn't work. If I use the original version 
I get always

 mibe@lxia64: kinit
 kinit(v5): Password incorrect while getting initial credentials

so I've done some debugging. It seems so that ia64 doesn't initialize 
heap memory. But i586 and x86_64 does. Normally this should not be 
problematic but when you use the special case with SALT_TYPE_AFS_LENGTH 
then this depends on the string length of that salt. The value of 
SALT_TYPE_AFS_LENGTH is -1 and in my case the salt is "lrz-muenchen.de" 
which results in a string length of 15.
To make the strlen calculation reliable there must be a '\0' at the end of 
the string. On ia64 platform this won't work correctly. So I have included 
one patch "krb5-1.6.1-copy_data.dif" to fix this for functions 
`krb5int_copy_data_contents()' and `krb5int_copy_data()'.

Here are my debugging protocoll. Our Linux cluster works in AFS cell 
`lrz-muenchen.de' and our kerberos realm is `LRZ-MUENCHEN.DE'.
For the tests I use the libraries under /scratch/krb5-1.6.1/src/lib.

Here is the debugging code (fprintf(..)) which I have inserted into 
`src/lib/krb5/krb/preauth2.c' to show the problem. This function will be 
called by `kinit'.

  root@lxia64:/scratch/krb5-1.6.1/src/lib: export LD_LIBRARY_PATH=$(pwd)
  root@lxia64:/scratch/krb5-1.6.1/src/lib: vim ./krb5/krb/preauth2.c
    569 static
    570 krb5_error_code pa_salt(krb5_context context,
    571       krb5_kdc_req *request,
    572       krb5_pa_data *in_padata,
    573       krb5_pa_data **out_padata,
    574       krb5_data *salt, krb5_data *s2kparams,
    575       krb5_enctype *etype,
    576       krb5_keyblock *as_key,
    577       krb5_prompter_fct prompter, void *prompter_data,
    578       krb5_gic_get_as_key_fct gak_fct, void *gak_data)
    579 {
    580     krb5_data tmp;
    581     char *p = in_padata->contents;   /* only for testing */
    582
    583     tmp.data = in_padata->contents;
    584     tmp.length = in_padata->length;
    585
    586 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
    587 __FILE__, __LINE__,
    588 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
    589 (salt == NULL) ? -2 : salt->length,
    590 tmp.data,
    591 tmp.length
    592 );
    593     /* set this as string end marker, only for testing to see whats happen */
    594     p[in_padata->length] = 0;
    595
    596 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
    597 __FILE__, __LINE__,
    598 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
    599 (salt == NULL) ? -2 : salt->length,
    600 tmp.data,
    601 tmp.length
    602 );
    603
    604     krb5_free_data_contents(context, salt);
    605
    606 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
    607 __FILE__, __LINE__,
    608 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
    609 (salt == NULL) ? -2 : salt->length,
    610 tmp.data,
    611 tmp.length
    612 );
    613
    614     krb5int_copy_data_contents(context, &tmp, salt);
    615
    616 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
    617 __FILE__, __LINE__,
    618 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
    619 (salt == NULL) ? -2 : salt->length,
    620 tmp.data,
    621 tmp.length
    622 );
    623
    624     if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT)
    625   salt->length = SALT_TYPE_AFS_LENGTH;
    626
    627 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
    628 __FILE__, __LINE__,
    629 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
    630 (salt == NULL) ? -2 : salt->length,
    631 tmp.data,
    632 tmp.length
    633 );
    634     return(0);
    635 }

  root@lxia64:/scratch/krb5-1.6.1/src/lib: make
  root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
  klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached

The output on Linux ia64 host `lxia64' with the original krb5-1.6.1 
version of code:

  root@lxia64:/scratch/krb5-1.6.1/src/lib: ../clients/kinit/kinit mibe
  f=preauth2.c l=592 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de  " tl=15
  f=preauth2.c l=602 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
  f=preauth2.c l=612 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
  f=preauth2.c l=622 >> salt="lrz-muenchen.de  " sl=15 tmp="lrz-muenchen.de" tl=15
  f=preauth2.c l=633 >> salt="lrz-muenchen.de  " sl=-1 tmp="lrz-muenchen.de" tl=15
  Password for mibe@LRZ-MUENCHEN.DE:
  kinit(v5): Password incorrect while getting initial credentials

And there are no tickets:
  root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
  klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached


Now the patched version with the patch introduced in attachment does
this:
  root@lxia64:/scratch/krb5-1.6.1/src/lib: pushd ../..
  root@lxia64:/scratch/krb5-1.6.1/src/lib: patch -p1 < ../krb5-1.6.1-copy_data.dif
  root@lxia64:/scratch/krb5-1.6.1/src/lib: popd
  root@lxia64:/scratch/krb5-1.6.1/src/lib: make
  root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
  klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
  
  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached

  root@lxia64:/scratch/krb5-1.6.1/src/lib: ../clients/kinit/kinit mibe
  f=preauth2.c l=592 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de  " tl=15
  f=preauth2.c l=602 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
  f=preauth2.c l=612 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
  f=preauth2.c l=622 >> salt="lrz-muenchen.de" sl=15 tmp="lrz-muenchen.de" tl=15
  f=preauth2.c l=633 >> salt="lrz-muenchen.de" sl=-1 tmp="lrz-muenchen.de" tl=15
  Password for mibe@LRZ-MUENCHEN.DE:

And now I got my tickets:
  root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: mibe@LRZ-MUENCHEN.DE
  
  Valid starting     Expires            Service principal
  06/26/07 08:11:03  06/29/07 08:11:03  krbtgt/LRZ-MUENCHEN.DE@LRZ-MUENCHEN.DE
          renew until 07/02/07 08:11:03
  
  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached

For me it works now on all three platforms. Hope this patch helps. It
might be that there are some other places in code which relies on that
implicit logic.

cheers,
  mike


-----------------------------------------------------------------------------
 Mike Becher                              Mike.Becher@lrz-muenchen.de
 Leibniz-Rechenzentrum der                http://www.lrz.de
 Bayerischen Akademie der Wissenschaften  phone: +49-89-35831-8721
 Gruppe Hochleistungssysteme              fax:   +49-89-35831-9700
 Boltzmannstrasse 1
 D-85748 Garching bei Muenchen
 Germany
-----------------------------------------------------------------------------
--8323584-1678412148-1182840090=:14159
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="krb5-1.6.1-copy_data.dif"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.61.0706260841300.14159@lxmbe02.lrz.lrz-muenchen.de>
Content-Description: krb5-1.6.1-copy_data.dif
Content-Disposition: ATTACHMENT; FILENAME="krb5-1.6.1-copy_data.dif"

LS0tIGtyYjUtMS42LjEvc3JjL2xpYi9rcmI1L2tyYi9jb3B5X2RhdGEuYy5v
cmlnCTIwMDctMDYtMjYgMDc6MzY6MjMuMTM1NjE5MDAwICswMjAwDQorKysg
a3JiNS0xLjYuMS9zcmMvbGliL2tyYjUva3JiL2NvcHlfZGF0YS5jCTIwMDct
MDYtMjYgMDg6MDM6MTcuMzQ3NzQ5MDAwICswMjAwDQpAQCAtNDcsMTAgKzQ3
LDExIEBADQogDQogICAgIHRlbXBkYXRhLT5sZW5ndGggPSBpbmRhdGEtPmxl
bmd0aDsNCiAgICAgaWYgKHRlbXBkYXRhLT5sZW5ndGgpIHsNCi0JaWYgKCEo
dGVtcGRhdGEtPmRhdGEgPSBtYWxsb2ModGVtcGRhdGEtPmxlbmd0aCkpKSB7
DQorCWlmICghKHRlbXBkYXRhLT5kYXRhID0gbWFsbG9jKHRlbXBkYXRhLT5s
ZW5ndGggKyAxKSkpIHsNCiAJICAgIGtyYjVfeGZyZWUodGVtcGRhdGEpOw0K
IAkgICAgcmV0dXJuIEVOT01FTTsNCiAJfQ0KKwltZW1zZXQoKGNoYXIgKil0
ZW1wZGF0YS0+ZGF0YSwgMCwgdGVtcGRhdGEtPmxlbmd0aCArIDEpOw0KIAlt
ZW1jcHkoKGNoYXIgKil0ZW1wZGF0YS0+ZGF0YSwgKGNoYXIgKilpbmRhdGEt
PmRhdGEsIHRlbXBkYXRhLT5sZW5ndGgpOw0KICAgICB9IGVsc2UNCiAJdGVt
cGRhdGEtPmRhdGEgPSAwOw0KQEAgLTY4LDkgKzY5LDEwIEBADQogDQogICAg
IG91dGRhdGEtPmxlbmd0aCA9IGluZGF0YS0+bGVuZ3RoOw0KICAgICBpZiAo
b3V0ZGF0YS0+bGVuZ3RoKSB7DQotCWlmICghKG91dGRhdGEtPmRhdGEgPSBt
YWxsb2Mob3V0ZGF0YS0+bGVuZ3RoKSkpIHsNCisJaWYgKCEob3V0ZGF0YS0+
ZGF0YSA9IG1hbGxvYyhvdXRkYXRhLT5sZW5ndGggKyAxKSkpIHsNCiAJICAg
IHJldHVybiBFTk9NRU07DQogCX0NCisJbWVtc2V0KChjaGFyICopb3V0ZGF0
YS0+ZGF0YSwgMCwgb3V0ZGF0YS0+bGVuZ3RoICsgMSk7DQogCW1lbWNweSgo
Y2hhciAqKW91dGRhdGEtPmRhdGEsIChjaGFyICopaW5kYXRhLT5kYXRhLCBv
dXRkYXRhLT5sZW5ndGgpOw0KICAgICB9IGVsc2UNCiAJb3V0ZGF0YS0+ZGF0
YSA9IDA7DQo=

--8323584-1678412148-1182840090=:14159
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--8323584-1678412148-1182840090=:14159--

home help back first fref pref prev next nref lref last post