[20185] in Kerberos_V5_Development
Re: Large pac causes gss_accept_sec_context to fail
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Oct 14 15:46:27 2020
To: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>,
"krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <26289a92-ec17-2711-e2d3-c63e0673a3ee@mit.edu>
Date: Wed, 14 Oct 2020 15:46:03 -0400
MIME-Version: 1.0
In-Reply-To: <d644f494-6278-eae4-0d34-f08b97273faf@prodrive-technologies.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 10/14/20 2:24 PM, Martijn de Gouw wrote:
> I've found a redhat article about
> disabling pac data: https://access.redhat.com/solutions/969123.
I don't have access to read that, unfortunately.
> The token is very big for those users (~7k). I did some tracing in the
> krb5 library to see what really goes wrong here, since the error is not
> very descriptive. I was able to dig down in
> src/lib/krb5/asn.1/asn1_encode.c, where the token is decoded. There is a
> lot of decode_atype() performed on the token, until finally omit_atype()
> returns ASN1_MISSING_FIELD, called by get_tag() for a->type =
> atype_sequence (embedded in a type atype_tagged_thing tag, I think?).
What kind of object is being decoded? That is, in the stack trace, what
is the entry point into the ASN.1 code? It would have a name like
decode_krb5_ap_req().
In src/lib/krb5/asn.1/README.asn1 there is a section on debugging at the
end. It provides a (laborious) process for determining where an error
like this is occurring within the ASN.1 type definition.
> Now I'm wondering is MS is really doing something wrong here, or krb5 is
> unable to handle this PAC data. the 'net ads kerberos pac dump' does not
> complain or show any errors when dumping PAC data for any user.
PAC data isn't encoded in ASN.1; the code to process it lives in
src/lib/krb5/krb/pac.c. The issue is likely in the surrounding Kerberos
protocol object. It could be a truncation issue as Simo hypothesizes,
although I would expect that to normally yield a different error like
ASN1_OVERRUN.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
