Client keytab realm mismanagement #4537

frozencemetery · 2021-01-12T21:11:48Z

Issue Description
set_krb5_creds() creates a principal with an empty string ("") for a realm and expects this to function as a wildcard. This was not the intent of krb5, and depending on DNS canonicalization settings, it may not work.

Package Version and Platform:

Platform: Fedora (32 through rawhide)
Package and version: all (distro ships 389-ds-base-2.0.1, but problem is on HEAD as well)
Browser [e.g. chrome, safari]: firefox

Steps to Reproduce
Steps to reproduce the behavior:

Enable dns_canonicalize_hostname = fallback in krb5.conf
Install an IPA server.
Install an IPA replica.

Expected results
Successful replica installation. Instead, replication will fail due to principal not being found.

Screenshots
N/A

Additional context
Downstream, this is https://bugzilla.redhat.com/show_bug.cgi?id=1868482

The text was updated successfully, but these errors were encountered:

@Firstyear

Bug description: set_krb5_creds() creates a principal with an empty string for a realm, and assumes this will function as a wildcard. However, this behavior is not a guarantee that krb5 provides; dependent on canonicalization settings, it could result in later failures in SASL. Fix description: Remove set_krb5_creds(). Previously, this function existed in order to treat the keytab at KRB5_KTNAME as a source of initiator credentials. However, since krb5-1.11, there is a separate environment variable KRB5_CLIENT_KTNAME that provides this functionality. In the process, remove the unused Heimdal vestiges. In 773e898 , the semantics of HAVE_KRB5 were changed to refer to specifically MIT krb5. As a result, none of the Kerberos goo has run against Heimdal since then. When Heimdal has a feature release, it will also support KRB5_CLIENT_KTNAME, and so this code will work with it too. relates: 389ds#4537 Author: Robbie Harwood <rharwood@redhat.com> Review by: @Firstyear, @mreynolds389, @droideck (Thanks!)

@Firstyear

Bug description: set_krb5_creds() creates a principal with an empty string for a realm, and assumes this will function as a wildcard. However, this behavior is not a guarantee that krb5 provides; dependent on canonicalization settings, it could result in later failures in SASL. Fix description: Remove set_krb5_creds(). Previously, this function existed in order to treat the keytab at KRB5_KTNAME as a source of initiator credentials. However, since krb5-1.11, there is a separate environment variable KRB5_CLIENT_KTNAME that provides this functionality. In the process, remove the unused Heimdal vestiges. In 773e898 , the semantics of HAVE_KRB5 were changed to refer to specifically MIT krb5. As a result, none of the Kerberos goo has run against Heimdal since then. When Heimdal has a feature release, it will also support KRB5_CLIENT_KTNAME, and so this code will work with it too. relates: #4537 Author: Robbie Harwood <rharwood@redhat.com> Review by: @Firstyear, @mreynolds389, @droideck (Thanks!)

frozencemetery added the needs triage The issue will be triaged during scrum label Jan 12, 2021

frozencemetery mentioned this issue Jan 12, 2021

Client keytab fixes #4523

Merged

Firstyear closed this as completed Jan 12, 2021

mreynolds389 removed the needs triage The issue will be triaged during scrum label Jan 14, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Client keytab realm mismanagement #4537

Client keytab realm mismanagement #4537

frozencemetery commented Jan 12, 2021

Client keytab realm mismanagement #4537

Client keytab realm mismanagement #4537

Comments

frozencemetery commented Jan 12, 2021