Hosting Provided By

system/2877: Heimdal KDC returns KRB5KRB_ERR_GENERIC instead of KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

From: <sysadmin(at)astro.su.se>
Date: Mon Aug 12 2002 - 07:36:03 EDT

>Number: 2877
>Category: system
>Synopsis: Heimdal KDC returns wrong error code
>Confidential: no
net
>Environment:

	System      : OpenBSD 3.0
	Architecture: OpenBSD.i386
	Machine     : i386

>Description:

	On 2001-01-30, the following change was made to Heimdal:

kdc/misc.c (db_fetch): HDB_ERR_NOENTRY makes more sense than ENOENT

Unfortunately, no corresponding change was made to other parts of the code that read like

            ret = db_fetch(p, &uu);
            krb5_free_principal(context, p);
            if(ret){
                if (ret == ENOENT)
                    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
                goto out;
            }

As a result, the KDC returns KRB5KRB_ERR_GENERIC instead of KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN when asked about a nonexistent principal.

This breaks tools like aklog (from the AFS/Kerberos 5 Migration Kit, available at ftp://ftp.cmf.nrl.navy.mil).

>How-To-Repeat:

I have tested the following patch on OpenBSD 3.0. Similar changes appear to be required in 3.1 and current (from reading the source code). I've tried to track down all occurrences of this bug, but no guarantees.

Index: kdc/524.c

RCS file: /cvs/src/kerberosV/src/kdc/524.c,v retrieving revision 1.1.1.2

diff -u -r1.1.1.2 524.c
--- kdc/524.c	2001/06/22 21:21:46	1.1.1.2
+++ kdc/524.c	2002/08/12 11:11:35
@@ -69,7 +69,7 @@
 	kdc_log(0,
 	"Request to convert ticket from %s for unknown principal %s: %s",
 		from, *spn, krb5_get_err_text(context, ret));
-	if (ret == ENOENT)
+	if (ret == HDB_ERR_NOENTRY)
 	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 	return ret;
     }

Index: kdc/kerberos5.c

RCS file: /cvs/src/kerberosV/src/kdc/kerberos5.c,v retrieving revision 1.1.1.2
diff -u -r1.1.1.2 kerberos5.c

--- kdc/kerberos5.c	2001/06/22 21:21:53	1.1.1.2
+++ kdc/kerberos5.c	2002/08/12 11:11:36
@@ -1564,7 +1564,7 @@
 	    ret = db_fetch(p, &uu);
 	    krb5_free_principal(context, p);
 	    if(ret){
-		if (ret == ENOENT)
+		if (ret == HDB_ERR_NOENTRY)
 		    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 		goto out;
 	    }
@@ -1630,7 +1630,7 @@
 	    }
 	    kdc_log(0, "Server not found in database: %s: %s", spn,
 		    krb5_get_err_text(context, ret));
-	    if (ret == ENOENT)
+	    if (ret == HDB_ERR_NOENTRY)
 		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 	    goto out;
 	}
@@ -1644,7 +1644,7 @@
 	if(ret){
 	    kdc_log(0, "Client not found in database: %s: %s",
 		    cpn, krb5_get_err_text(context, ret));
-	    if (ret == ENOENT)
+	    if (ret == HDB_ERR_NOENTRY)
 		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	    goto out;
 	}

>Release-Note:
Received on Thu Nov 7 15:30:12 2002

Do you need help?

This message: [ Message body ]
Next message: j(at)pureftpd.org: "kernel/2926: other kernel crash"
In reply to logix(at)foobar.franken.de: "kernel/2870: support for network pseudo device cloning"
Reply: Sergio Gelato: "Re: system/2877: Heimdal KDC returns KRB5KRB_ERR_GENERIC instead of KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:36 EDT