Target realm gets overwritten

Fri, 10 Aug 2018 13:03:27 -0700 

hi !

I am using KRB5 API to fetch TGT and then GSS API to generate negotiate tokens.
(then I add these tokens into HTTP headers when needed). I am using Heimdal v. 
1.4.

This works in all cases, but in one specific scenario,

Scenario (I just made up names):

- Client (us...@kdc1.sw.net) obtains TGT from KDC1:   
krbtgt/kdc1.sw....@kdc1.sw.net

- Client obtains a cross-realm ticket-granting ticket: 
krbtgt/east.testnet....@kdc1.sw.net

- Client obtains service ticket:  HTTP/proxy4.east.testnet....@east.testnet.net

This works, but next time I call GSS API,  cached service tickets are ignored
and for each and every resource a new service ticket is obtained (thus flooding 
KDC server and also filling up local client's cache).


After debugging and code reading, I have established the root cause: 

1. new requests are done because "check_cc" function (in check_cc.c file) is 
given a wrong server name: 

check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache, 
krb5_creds *in_creds, krb5_creds *out_creds) 
gets this "HTTP/proxy4.east.testnet....@kdc1.sw.net" instead of 
"HTTP/proxy4.east.testnet....@east.testnet.net"


2.  "in_creds->server->realm" gets overridden in import_name.c file, in 
function _gsskrb5_canon_name:

When gsskrb5_get_creds calls _gsskrb5_canon_name function, it passes correct 
creds with "EAST.TESTNET.NET" as a realm. 
but here, in this place:


    /* If its not a hostname */
    if (krb5_principal_get_type(context, p) != MAGIC_HOSTBASED_NAME_TYPE) {
    ret = krb5_copy_principal(context, p, out);
    } else if (!use_dns) {
    ret = krb5_copy_principal(context, p, out);
    if (ret)
        goto out;
    krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST);
    if (sourcename)
        ret = krb5_principal_set_realm(context, *out, sourcename->realm);
    } else {
     .......

"sourcename" is client principal ("us...@kdc1.sw.net") - in_creds cred's realm 
is overwritten by one from "sourcename->realm"


this issue is present in Heimdal versions in 1.4.x and 1.5.x. From v.7.0 and 
up, _gsskrb5_canon_name() has been reworked. 
so it is not possible to simply backport changes. 


is this normal?  if so, why we need to overwrite it?

regards,
Alibek

Reply via email to