On Wed, Nov 23, 2011 at 11:53:11AM +0100, Sumit Bose wrote:
> On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote:
> > In some cases the KDC will decide to use a different checksum type when
> > re-signing a PAC to include it in a service ticket.
> > 
> > This is common in a cross-realm trust with AD as most AD DCs will use a
> > HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use
> > HMAC-SHA-AES when re-signing the PAC.
> > 
> > In current MIT code re-signing a PAC with a signature that differs in
> > length from the original will cause an error.
> > 
> > While MIT should handle this properly, we use the workaround of
> > regenerating the PAC from scratch so that there is no trace of the
> > previous signatures.
> > 
> > Tested while obtaining a cross-realm ticket from an AD domain against a
> > service belonging to an IPA domain.
> 
> I see "authdata (kdb) handling failure: Cannot allocate memory" in
> krb5kdc.log when trying to log in with putty into the IPA server. Do you
> already have an idea or shall I start gdb?

I think I found two issues which should be fixed by the following patch:
 - krb5_pac_add_buffer() expects krb5_pac and not krb5_pac * as a second
   argument
 - your patch copies all buffers, including the checksums, which you
   wanted to remove from the new pac

With this patch applied I do not see any errors in the krb5kdc.log and
ssh from AD to IPA server works.

HTH

bye,
Sumit

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 63c18b5..68a347a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -28,6 +28,10 @@
 #define KRB5INT_PAC_SIGN_AVAILABLE 1
 #define KRB5INT_FIND_AUTHDATA_AVAILABLE 1
 
+#define PAC_SERVER_CHECKSUM   6  /**< Server checksum */
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 63c18b5..68a347a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -28,6 +28,10 @@
 #define KRB5INT_PAC_SIGN_AVAILABLE 1
 #define KRB5INT_FIND_AUTHDATA_AVAILABLE 1
 
+#define PAC_SERVER_CHECKSUM   6  /**< Server checksum */
+#define PAC_PRIVSVR_CHECKSUM  7  /**< KDC checksum */
+
+
 #if KRB5INT_PAC_SIGN_AVAILABLE
 krb5_error_code
 krb5int_pac_sign(krb5_context context,
@@ -604,16 +608,19 @@ static krb5_error_code
ipadb_verify_pac(krb5_context context,
     }
 
     for (i = 0; i < num_buffers; i++) {
-        kerr = krb5_pac_get_buffer(context, old_pac,
-                                    buffer_types[i], &data);
-        if (kerr == 0) {
-            kerr = krb5_pac_add_buffer(context, &new_pac,
-                                        buffer_types[i], &data);
-        }
-        krb5_free_data_contents(context, &data);
-        if (kerr) {
-            krb5_pac_free(context, new_pac);
-            goto done;
+        if (buffer_types[i] != PAC_SERVER_CHECKSUM &&
+           buffer_types[i] != PAC_PRIVSVR_CHECKSUM) {
+            kerr = krb5_pac_get_buffer(context, old_pac,
+                                       buffer_types[i], &data);
+            if (kerr == 0) {
+                kerr = krb5_pac_add_buffer(context, new_pac,
+                                           buffer_types[i], &data);
+            }
+            krb5_free_data_contents(context, &data);
+            if (kerr) {
+                krb5_pac_free(context, new_pac);
+                goto done;
+            }
         }
     }
 

> 
> bye,
> Sumit
> 
> > 
> > Simo.
> > 
> > -- 
> > Simo Sorce * Red Hat, Inc * New York
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to