Sam Hartman <hartm...@debian.org> writes: > Hi. At today's release meeting, MIT indicated that they are going to > set up an OSX X test environment to reproduce this problem. They will > also look into whether we can ignore the PAC and remove it from the > authdata if it fails to verify rather than failing the authentication. > There was agreement that if we do that we need to insert a trace point > in the PAC code so we can know that the PAC is not verified.
I have reproduced the bug against Mac OS 10.6 Server. The following patch appears to work (against the trunk; I believe the 1.8 release didn't have tracing support). Sam, does it look reasonable to you?
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 3efe0e4..43d63cc 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -177,6 +177,10 @@ #define TRACE_INIT_CREDS_SERVICE(c, service) \ TRACE(c, (c, "Setting initial creds service to {string}", service)) +#define TRACE_MSPAC_DISCARD_NOSVCSIG(c) \ + TRACE(c, (c, "Discarding MS PAC due to missing service signature. "\ + "Apple Open Directory bug?")) + #define TRACE_KT_GET_ENTRY(c, keytab, princ, vno, enctype, err) \ TRACE(c, (c, "Retrieving {princ} from {keytab} (vno {int}, " \ "enctype {etype}) with result: {kerr}", princ, keytab, \ diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 983b4e8..64e0d9f 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -637,8 +637,13 @@ krb5_pac_verify(krb5_context context, return EINVAL; ret = k5_pac_verify_server_checksum(context, pac, server); - if (ret != 0) + if (ret == ENOENT) { + TRACE_MSPAC_DISCARD_NOSVCSIG(context); + pac->verified = FALSE; + return 0; + } else if (ret != 0) { return ret; + } if (privsvr != NULL) { ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); @@ -977,6 +982,11 @@ mspac_get_attribute(krb5_context kcontext, if (*more != -1 || pacctx->pac == NULL) return ENOENT; + /* If it didn't verify, pretend it didn't exist. */ + if (!pacctx->pac->verified) { + return ENOENT; + } + code = mspac_attr2type(attribute, &type); if (code != 0) return code;