Date: Mon, 15 Jan 2018 15:18:14 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 204899] security/py-kerberos: authGSSClientStep raises GSSError UNKNOWN_SERVER Message-ID: <bug-204899-21822-WqY23YJi4p@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-204899-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-204899-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D204899 --- Comment #18 from John W. O'Brien <john@saltant.com> --- The problem lies in how the principal name type in the main call to gss_import_name is patched from MIT to Heimdal. py-kerberos uses [0] gss_krb5_nt_service_name, which krb5 defines as [1] gss_nt_service_name. That symbol is, in turn, set to [2] the OID defined as= [3] 1.2.840.113554.1.2.1.4, a.k.a. GSS_C_NT_HOSTBASED_SERVICE. This is consiste= nt with the API docs for authGSSClientInit [4] and the standard for that name type [5]: "service@hostname". Under the hood, both heimdal and krb5 parse n= ames of that type by splitting on '@' and producing a krb5 principal with two components, the left and right sides. The adaptation [6] from krb5 to heimdal erroneously pivoted on the "krb5" p= art of the name instead of the "service" part of the name, and ends up using GSS_KRB5_NT_PRINCIPAL_NAME [7] as a result, which expects a principal of a different form. That name type treats '@' as the separator between multiple '/'-separated components and the realm ("service/hostname@REALM"), not as t= he separator of two principal components. This explains why, as revealed in the KDC logs for the failing test cases, the client tries to traverse a cross r= ealm trust (krbtgt/hostX.example.com@EXAMPLE.COM) as if the intended hostname we= re a foreign realm. I have prepared a patch that I will test and post shortly. [0] https://github.com/apple/ccs-pykerberos/blob/PyKerberos-1.2.5/src/kerberosg= ss.c#L153 [1] https://github.com/krb5/krb5/blob/krb5-1.15.2-final/src/lib/gssapi/krb5/gss= api_krb5.h#L101 [2] https://github.com/krb5/krb5/blob/krb5-1.15.2-final/src/lib/gssapi/generic/= gssapi_generic.c#L182 [3] https://github.com/krb5/krb5/blob/krb5-1.15.2-final/src/lib/gssapi/generic/= gssapi_generic.c#L93 [4] https://github.com/apple/ccs-pykerberos/blob/PyKerberos-1.2.5/pysrc/kerbero= s.py#L150 [5] https://tools.ietf.org/html/rfc2743#page-85 Section 4.1 [6] https://svnweb.freebsd.org/ports/head/security/py-kerberos/files/extra-patc= h-src_kerberosgss.h?view=3Dmarkup&pathrev=3D401816 [7] https://tools.ietf.org/html/rfc1964#page-13 Section 2.1.1 --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-204899-21822-WqY23YJi4p>