On Fri, 2008-09-05 at 12:41 -0700, Henry B. Hotz wrote: > On Sep 5, 2008, at 1:47 AM, Mark Phalan wrote: > > > On Thu, 2008-09-04 at 11:41 -0700, Henry B. Hotz wrote: > >> On Sep 4, 2008, at 4:37 AM, Mark Phalan wrote: > >>> > >>> Can you elaborate more on the seg-fault? I fixed this in S10u5 and > >>> Nevada which sounds related: > >>> > >>> 6644742 kadmind cores when using an 'afs3' salt and password > 8 > >>> chars > >>> > >>> you can see (a very little bit) more at bugs.opensolaris.org. > >>> > >>> -M > >> > >> OK, you got me. I haven't checked that recently. Maybe you've > >> already done what I (minimally) want. ;-) > > > > Perhaps :) > > > >> I've seen it in kinit and kpasswd. It's been long enough since our > >> migration that I don't have many test cases left, but the ones we > >> still have are kind of awkward. Presumably the real problem was > >> under > >> krb5_get_init_creds_password(). > >> > >> Did you mean kadmin (the user's client) vice kadmind (the server)? > > > > kadmind was crashing. I didn't see anything else crashing with afs3 > > passwords but that probably doesn't mean too much as we haven't been > > testing much with an afs3 salt. > > The problem was in string2key.c: > > > > http://src.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/lib/gss_mechs/mech_krb5/crypto/des/string2key.c?r2=%2Fonnv%2Fonnv-gate%2Fusr%2Fsrc%2Flib%2Fgss_mechs%2Fmech_krb5%2Fcrypto%2Fdes%2Fstring2key.c%405826&r1=%2Fonnv%2Fonnv-gate%2Fusr%2Fsrc%2Flib%2Fgss_mechs%2Fmech_krb5%2Fcrypto%2Fdes%2Fstring2key.c%400 > > > > The fix was just to resync some code back from MIT. > > > > I'll play around with afs3 salts some more and see if I can get > > anything > > to crash/behave badly. > > > > -M > > I'm very confused as to why kadmind (which should only see a service > ticket, not a password, right?) should care what salt type was used to > get that ticket.
kadmind was crashing when creating a new key with an afs salt. -M > > The client code doesn't always crash on AFS-salted passwords. If it > doesn't crash outright, it usually seems to work. I've had S9 kinit > work but not S9 kpasswd, and vice versa. If you want help with a > server to test against contact me off-list, but I won't promise very > much. Thanks for the offer. -M
