> Aargh!! This sounds suspiciously like the problem we ran into
> last week when we upgraded our kaservers from 3.5-3.32 to
> 3.6-2.5. Are you telling me this is a known bug?
After kaserver upgrade a site could no longer authenticate with the
arla klient. Yes, it is the APPL request that fails. I set up a
kaserver test environment (normally we use Heimdal here) and could
reproduce the problem and track it down to the kaserver. As we do not
use any win* clients, I could not test this, but I expect them to stop
working, too. Anyone who can confirm/deny? Bug description is in the
bug report included for reference below.
> and they're still looking into it. They claim to have not heard
> of it before... Is this the same bug you're referring to?
Judge yourself - I'd say so. See mail with dates and everything
included below. This is the bug report from the AFS contact person at
KTH to Transarc. I have not heard anything since and I don't think
Ragnar has either.
> And what are the "other bugs" in 3.5-3.32?
The reason for the code changes after 3.5-3.32 were possible buffer
overrun problems. There is some cert about it. The fixes are quite
embarrassing, so I don't thing anything improved.
Harald.
#> From: Ragnar Andersson <[EMAIL PROTECTED]>
#> To: [EMAIL PROTECTED]
#> cc: Harald Barth <[EMAIL PROTECTED]>
#> Date: Fri, 29 Sep 2000 08:27:22 +0200 (MET DST)
#>
#>
#> Hello there!
#>
#> I'm submitting this bug report on behalf of one of our AFS
#> administrators who is not himself a site contact. Please direct all
#> request for additional information *directly* to him (although I
#> would like to be cc:ed). In the past I've had to shuffle requests
#> between your handler and our bug reporter, and that really doesn't
#> make anybody happy. Please note, too, that I've made this request
#> before, without success.
#>
#> Best regards,
#> Ragnar
#>
#> ---------- Forwarded message ----------
#> Date: Thu, 28 Sep 2000 16:38:46 +0200
#> From: Harald Barth <[EMAIL PROTECTED]>
#> To: [EMAIL PROTECTED]
#> Cc: [EMAIL PROTECTED]
#> Subject: kaserver 3.5-3.51 does not authenticate krb_udp requests correctly.
#>
#>
#> Ragnar: Please forward to Transarc.
#>
#> The kaserver 3.5-3.51 shipped with 3.5 patchlevel 5 does not
#> authenticte krb_udp requests from kerberos 4 clients correctly. It is
#> possible to get TGTs but not application tickets. This defect appeared
#> after 3.5-3.32 which still is OK. The trouble are a number of buffer
#> overrun "fixes" which have lobotomized functionality.
#>
#> When attaching a debugger to the kaserver process and setting the
#> krb_udp_debug variable and authenticating with a krb4 client the
#> following output shows the problem:
#>
#> Processing APPL Request
#> UGetTicket: got ticket from 'haba'.''@''
#> Sending error packet to 'haba'.''@'' containing code = 180504: Unknown code ka 24
(180504)
#>
#> It should read: UGetTicket: got ticket from 'haba'.''@'MYREALM.COM'
#>
#> This is due to the if clause in file kauth/krb_udp.c RCSID 2.78 line
#> 641 in function UDP_GetTicket which never can evaluate to true, so
#> lrealm will not be copied to cell when needed. See even line 489 and
#> 490 of the same file for more questionable c-code.
#>
#> Harald.