[27978] in Kerberos
probem with SALT_TYPE_AFS_LENGTH or "Password incorrect while getting
daemon@ATHENA.MIT.EDU (Mike Becher)
Tue Jun 26 06:59:25 2007
Date: Tue, 26 Jun 2007 12:58:52 +0200 (CEST)
From: Mike Becher <Mike.Becher@lrz-muenchen.de>
To: kerberos@mit.edu
Message-Id: <Pine.LNX.4.61.0706260732220.14159@lxmbe02.lrz.lrz-muenchen.de>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323584-1678412148-1182840090=:14159"
Content-ID: <Pine.LNX.4.61.0706260843200.14159@lxmbe02.lrz.lrz-muenchen.de>
Errors-To: kerberos-bounces@mit.edu
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--8323584-1678412148-1182840090=:14159
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.61.0706260843201.14159@lxmbe02.lrz.lrz-muenchen.de>
Hi *,
I've compiled and installed krb5-1.6.1 on different platforms (i586, ia64,
and x86_64) on our Linux cluster. On i586 and x86_64 it works from the
scratch. But on Linux ia64 it doesn't work. If I use the original version
I get always
mibe@lxia64: kinit
kinit(v5): Password incorrect while getting initial credentials
so I've done some debugging. It seems so that ia64 doesn't initialize
heap memory. But i586 and x86_64 does. Normally this should not be
problematic but when you use the special case with SALT_TYPE_AFS_LENGTH
then this depends on the string length of that salt. The value of
SALT_TYPE_AFS_LENGTH is -1 and in my case the salt is "lrz-muenchen.de"
which results in a string length of 15.
To make the strlen calculation reliable there must be a '\0' at the end of
the string. On ia64 platform this won't work correctly. So I have included
one patch "krb5-1.6.1-copy_data.dif" to fix this for functions
`krb5int_copy_data_contents()' and `krb5int_copy_data()'.
Here are my debugging protocoll. Our Linux cluster works in AFS cell
`lrz-muenchen.de' and our kerberos realm is `LRZ-MUENCHEN.DE'.
For the tests I use the libraries under /scratch/krb5-1.6.1/src/lib.
Here is the debugging code (fprintf(..)) which I have inserted into
`src/lib/krb5/krb/preauth2.c' to show the problem. This function will be
called by `kinit'.
root@lxia64:/scratch/krb5-1.6.1/src/lib: export LD_LIBRARY_PATH=$(pwd)
root@lxia64:/scratch/krb5-1.6.1/src/lib: vim ./krb5/krb/preauth2.c
569 static
570 krb5_error_code pa_salt(krb5_context context,
571 krb5_kdc_req *request,
572 krb5_pa_data *in_padata,
573 krb5_pa_data **out_padata,
574 krb5_data *salt, krb5_data *s2kparams,
575 krb5_enctype *etype,
576 krb5_keyblock *as_key,
577 krb5_prompter_fct prompter, void *prompter_data,
578 krb5_gic_get_as_key_fct gak_fct, void *gak_data)
579 {
580 krb5_data tmp;
581 char *p = in_padata->contents; /* only for testing */
582
583 tmp.data = in_padata->contents;
584 tmp.length = in_padata->length;
585
586 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
587 __FILE__, __LINE__,
588 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
589 (salt == NULL) ? -2 : salt->length,
590 tmp.data,
591 tmp.length
592 );
593 /* set this as string end marker, only for testing to see whats happen */
594 p[in_padata->length] = 0;
595
596 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
597 __FILE__, __LINE__,
598 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
599 (salt == NULL) ? -2 : salt->length,
600 tmp.data,
601 tmp.length
602 );
603
604 krb5_free_data_contents(context, salt);
605
606 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
607 __FILE__, __LINE__,
608 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
609 (salt == NULL) ? -2 : salt->length,
610 tmp.data,
611 tmp.length
612 );
613
614 krb5int_copy_data_contents(context, &tmp, salt);
615
616 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
617 __FILE__, __LINE__,
618 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
619 (salt == NULL) ? -2 : salt->length,
620 tmp.data,
621 tmp.length
622 );
623
624 if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT)
625 salt->length = SALT_TYPE_AFS_LENGTH;
626
627 fprintf(stderr, "f=%s l=%d >> salt=\"%s\" sl=%d tmp=\"%s\" tl=%d\n",
628 __FILE__, __LINE__,
629 ((salt == NULL) || (salt->data == NULL)) ? "NULL" : salt->data,
630 (salt == NULL) ? -2 : salt->length,
631 tmp.data,
632 tmp.length
633 );
634 return(0);
635 }
root@lxia64:/scratch/krb5-1.6.1/src/lib: make
root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
The output on Linux ia64 host `lxia64' with the original krb5-1.6.1
version of code:
root@lxia64:/scratch/krb5-1.6.1/src/lib: ../clients/kinit/kinit mibe
f=preauth2.c l=592 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de " tl=15
f=preauth2.c l=602 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=612 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=622 >> salt="lrz-muenchen.de " sl=15 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=633 >> salt="lrz-muenchen.de " sl=-1 tmp="lrz-muenchen.de" tl=15
Password for mibe@LRZ-MUENCHEN.DE:
kinit(v5): Password incorrect while getting initial credentials
And there are no tickets:
root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Now the patched version with the patch introduced in attachment does
this:
root@lxia64:/scratch/krb5-1.6.1/src/lib: pushd ../..
root@lxia64:/scratch/krb5-1.6.1/src/lib: patch -p1 < ../krb5-1.6.1-copy_data.dif
root@lxia64:/scratch/krb5-1.6.1/src/lib: popd
root@lxia64:/scratch/krb5-1.6.1/src/lib: make
root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@lxia64:/scratch/krb5-1.6.1/src/lib: ../clients/kinit/kinit mibe
f=preauth2.c l=592 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de " tl=15
f=preauth2.c l=602 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=612 >> salt="NULL" sl=-1 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=622 >> salt="lrz-muenchen.de" sl=15 tmp="lrz-muenchen.de" tl=15
f=preauth2.c l=633 >> salt="lrz-muenchen.de" sl=-1 tmp="lrz-muenchen.de" tl=15
Password for mibe@LRZ-MUENCHEN.DE:
And now I got my tickets:
root@lxia64:/scratch/krb5-1.6.1/src/lib: klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mibe@LRZ-MUENCHEN.DE
Valid starting Expires Service principal
06/26/07 08:11:03 06/29/07 08:11:03 krbtgt/LRZ-MUENCHEN.DE@LRZ-MUENCHEN.DE
renew until 07/02/07 08:11:03
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
For me it works now on all three platforms. Hope this patch helps. It
might be that there are some other places in code which relies on that
implicit logic.
cheers,
mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher@lrz-muenchen.de
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-35831-8721
Gruppe Hochleistungssysteme fax: +49-89-35831-9700
Boltzmannstrasse 1
D-85748 Garching bei Muenchen
Germany
-----------------------------------------------------------------------------
--8323584-1678412148-1182840090=:14159
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="krb5-1.6.1-copy_data.dif"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.61.0706260841300.14159@lxmbe02.lrz.lrz-muenchen.de>
Content-Description: krb5-1.6.1-copy_data.dif
Content-Disposition: ATTACHMENT; FILENAME="krb5-1.6.1-copy_data.dif"
LS0tIGtyYjUtMS42LjEvc3JjL2xpYi9rcmI1L2tyYi9jb3B5X2RhdGEuYy5v
cmlnCTIwMDctMDYtMjYgMDc6MzY6MjMuMTM1NjE5MDAwICswMjAwDQorKysg
a3JiNS0xLjYuMS9zcmMvbGliL2tyYjUva3JiL2NvcHlfZGF0YS5jCTIwMDct
MDYtMjYgMDg6MDM6MTcuMzQ3NzQ5MDAwICswMjAwDQpAQCAtNDcsMTAgKzQ3
LDExIEBADQogDQogICAgIHRlbXBkYXRhLT5sZW5ndGggPSBpbmRhdGEtPmxl
bmd0aDsNCiAgICAgaWYgKHRlbXBkYXRhLT5sZW5ndGgpIHsNCi0JaWYgKCEo
dGVtcGRhdGEtPmRhdGEgPSBtYWxsb2ModGVtcGRhdGEtPmxlbmd0aCkpKSB7
DQorCWlmICghKHRlbXBkYXRhLT5kYXRhID0gbWFsbG9jKHRlbXBkYXRhLT5s
ZW5ndGggKyAxKSkpIHsNCiAJICAgIGtyYjVfeGZyZWUodGVtcGRhdGEpOw0K
IAkgICAgcmV0dXJuIEVOT01FTTsNCiAJfQ0KKwltZW1zZXQoKGNoYXIgKil0
ZW1wZGF0YS0+ZGF0YSwgMCwgdGVtcGRhdGEtPmxlbmd0aCArIDEpOw0KIAlt
ZW1jcHkoKGNoYXIgKil0ZW1wZGF0YS0+ZGF0YSwgKGNoYXIgKilpbmRhdGEt
PmRhdGEsIHRlbXBkYXRhLT5sZW5ndGgpOw0KICAgICB9IGVsc2UNCiAJdGVt
cGRhdGEtPmRhdGEgPSAwOw0KQEAgLTY4LDkgKzY5LDEwIEBADQogDQogICAg
IG91dGRhdGEtPmxlbmd0aCA9IGluZGF0YS0+bGVuZ3RoOw0KICAgICBpZiAo
b3V0ZGF0YS0+bGVuZ3RoKSB7DQotCWlmICghKG91dGRhdGEtPmRhdGEgPSBt
YWxsb2Mob3V0ZGF0YS0+bGVuZ3RoKSkpIHsNCisJaWYgKCEob3V0ZGF0YS0+
ZGF0YSA9IG1hbGxvYyhvdXRkYXRhLT5sZW5ndGggKyAxKSkpIHsNCiAJICAg
IHJldHVybiBFTk9NRU07DQogCX0NCisJbWVtc2V0KChjaGFyICopb3V0ZGF0
YS0+ZGF0YSwgMCwgb3V0ZGF0YS0+bGVuZ3RoICsgMSk7DQogCW1lbWNweSgo
Y2hhciAqKW91dGRhdGEtPmRhdGEsIChjaGFyICopaW5kYXRhLT5kYXRhLCBv
dXRkYXRhLT5sZW5ndGgpOw0KICAgICB9IGVsc2UNCiAJb3V0ZGF0YS0+ZGF0
YSA9IDA7DQo=
--8323584-1678412148-1182840090=:14159
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--8323584-1678412148-1182840090=:14159--
