Bug 912 - Configuration defaults to HAVE_MEMORY_KEYTAB=1
Configuration defaults to HAVE_MEMORY_KEYTAB=1
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Config Files
3.0.1
All Linux
: P2 major
: none
Assigned To: Jeremy Allison
http://www.blackkat.ca
:
: 863 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-12-22 18:52 UTC by jon wackley
Modified: 2005-08-24 10:27 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jon wackley 2003-12-22 18:52:00 UTC
Hi All,

Used debug level 10 to determine that the krb5_kt_resolve call failed when
verifying incoming ticket.  Determined that the call failed at
libads/kerberos_verify.c:56;

        ret = krb5_kt_resolve(context, keytab_name, keytab);
        if (ret)
                return ret;

in other words a non-zero return value is an error.  mit-krb5-1.3.1 does not
support memory keytabs, at least without extra coding (i.e.
krb5_kt_register, but I could not find the appropriate krb5_kt_ops to use,
more about this later.

Tried to find out why manifest constant  HAVE_MEMORY_KEYTAB is set to true.
Found in the configure.in file that the logic sense is inverted (if I am
reading this correctly);

    AC_TRY_RUN([
#include<krb5.h>
  main()
  {
    krb5_context context;
    krb5_keytab keytab;

    krb5_init_context(&context);
    if (krb5_kt_resolve(context, "MEMORY:", &keytab))
      exit(0);
    exit(1);
  }],
  samba_cv_HAVE_MEMORY_KEYTAB=yes,
  samba_cv_HAVE_MEMORY_KEYTAB=no)])

  if test x"$samba_cv_HAVE_MEMORY_KEYTAB" = x"yes"; then
      AC_DEFINE(HAVE_MEMORY_KEYTAB,1,
               [Whether in-memory keytabs are supported])
  fi

The code in kerberos_verify.c does not seem ready to handle any other keytab
type in the function setup_keytab.  I'm not sure if this is correct, and I
am not certain how to proceed at this point.

1.  Should the code work properly if the configure.in script is fixed?
(i.e. do not use memory keytabs)
2.  Is the strategy to use memory keytabs by way of
krb5_kt_register/krb5_kt_ops?
3.  Is there something that I am completely missing?

Please note: I'm in the middle of a clean compile so I don't know if there are 
more issues to follow from this.

Thanks,
jonw
Comment 1 jon wackley 2003-12-22 20:48:48 UTC
Fixed configure.in and then regenerated configure.  Could now authenticate to 
Win2K ADS.  Logs look good from quick glance.  BTW - I do not have CVS access 
so I will leave it to you to resolve this bug.

BTW - I was looking into another bug, I could not see/change the permissions of 
a directory from the win2K clinet.  Files work fine.  Any suggestions?  Will 
open another bug.
Comment 2 Gerald (Jerry) Carter 2004-01-02 07:23:32 UTC
*** Bug 863 has been marked as a duplicate of this bug. ***
Comment 3 Gerald (Jerry) Carter 2004-01-05 12:25:09 UTC
Yup.  The logic appears backwards.
Fix checked in.  Thanks.
Comment 4 Gerald (Jerry) Carter 2005-08-24 10:27:49 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.