hi ! I am using KRB5 API to fetch TGT and then GSS API to generate negotiate tokens. (then I add these tokens into HTTP headers when needed). I am using Heimdal v. 1.4.
This works in all cases, but in one specific scenario, Scenario (I just made up names): - Client (us...@kdc1.sw.net) obtains TGT from KDC1: krbtgt/kdc1.sw....@kdc1.sw.net - Client obtains a cross-realm ticket-granting ticket: krbtgt/east.testnet....@kdc1.sw.net - Client obtains service ticket: HTTP/proxy4.east.testnet....@east.testnet.net This works, but next time I call GSS API, cached service tickets are ignored and for each and every resource a new service ticket is obtained (thus flooding KDC server and also filling up local client's cache). After debugging and code reading, I have established the root cause: 1. new requests are done because "check_cc" function (in check_cc.c file) is given a wrong server name: check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds *in_creds, krb5_creds *out_creds) gets this "HTTP/proxy4.east.testnet....@kdc1.sw.net" instead of "HTTP/proxy4.east.testnet....@east.testnet.net" 2. "in_creds->server->realm" gets overridden in import_name.c file, in function _gsskrb5_canon_name: When gsskrb5_get_creds calls _gsskrb5_canon_name function, it passes correct creds with "EAST.TESTNET.NET" as a realm. but here, in this place: /* If its not a hostname */ if (krb5_principal_get_type(context, p) != MAGIC_HOSTBASED_NAME_TYPE) { ret = krb5_copy_principal(context, p, out); } else if (!use_dns) { ret = krb5_copy_principal(context, p, out); if (ret) goto out; krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST); if (sourcename) ret = krb5_principal_set_realm(context, *out, sourcename->realm); } else { ....... "sourcename" is client principal ("us...@kdc1.sw.net") - in_creds cred's realm is overwritten by one from "sourcename->realm" this issue is present in Heimdal versions in 1.4.x and 1.5.x. From v.7.0 and up, _gsskrb5_canon_name() has been reworked. so it is not possible to simply backport changes. is this normal? if so, why we need to overwrite it? regards, Alibek