Subject: bin/13040: login doesn't honor [libdefaults]krb4_get_tickets=yes
To: None <gnats-bugs@gnats.netbsd.org>
From: None <lha@nutcracker.dynarc.se>
List: netbsd-bugs
Date: 05/26/2001 12:27:57
>Number: 13040
>Category: bin
>Synopsis: login doesn't honor [libdefaults]krb4_get_tickets=yes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat May 26 03:29:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Love
>Release: Current as of 2000-05-26, NetBSD 1.5V
>Organization:
Stacken Computer Club
>Environment:
System: NetBSD nutcracker.dynarc.se 1.5V NetBSD 1.5V (NUTCRACKER) #17: Sat May 26 10:44:27 CEST 2001 lha@nutcracker.dynarc.se:/usr/src/sys/arch/i386/compile/NUTCRACKER i386
Architecture: i386
Machine: i386
>Description:
login doesn't honor [libdefaults]krb4_get_tickets=yes
In heimdal this variable converts krb5 tickets to krb4 ditto
when you are running kinit or login.
Now I also find that this variable isn't documented in
krb5.conf(5), so I depend on that Assar or Johan fixes that
too.
>How-To-Repeat:
login and find that you only have krb5 tickets.
>Fix:
Index: k5login.c
===================================================================
RCS file: /cvsroot/basesrc/usr.bin/login/k5login.c,v
retrieving revision 1.19
diff -u -w -r1.19 k5login.c
--- k5login.c 2001/01/19 21:55:19 1.19
+++ k5login.c 2001/05/26 10:24:47
@@ -62,6 +62,7 @@
#include <sys/param.h>
#include <sys/syslog.h>
#include <krb5/krb5.h>
+#include <kerberosIV/krb.h>
#include <pwd.h>
#include <netdb.h>
#include <stdio.h>
@@ -93,6 +94,11 @@
int k5login(struct passwd *, char *, char *, char *);
void k5destroy(void);
+#ifdef KERBEROS
+static krb5_error_code
+krb5_to4 (struct passwd *pw, krb5_context context, krb5_ccache id);
+#endif
+
#ifndef krb5_realm_length
#define krb5_realm_length(r) ((r).length)
#endif
@@ -284,7 +290,7 @@
}
int
-k5_write_creds()
+k5_write_creds(void)
{
krb5_error_code kerror;
krb5_ccache ccache;
@@ -318,6 +324,57 @@
}
/*
+ * Get krb4 credentials if needed
+ */
+#ifdef KERBEROS
+static krb5_error_code
+krb5_to4 (struct passwd *pw, krb5_context context, krb5_ccache id)
+{
+ if (krb5_config_get_bool(context, NULL,
+ "libdefaults",
+ "krb4_get_tickets",
+ NULL)) {
+ CREDENTIALS c;
+ krb5_creds mcred, cred;
+ char krb4tkfile[MAXPATHLEN];
+ krb5_error_code ret;
+ krb5_principal princ;
+
+ ret = krb5_cc_get_principal (context, id, &princ);
+ if (ret)
+ return ret;
+
+ ret = krb5_make_principal(context, &mcred.server,
+ princ->realm,
+ "krbtgt",
+ princ->realm,
+ NULL);
+ krb5_free_principal (context, princ);
+ if (ret)
+ return ret;
+
+ ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
+ if(ret == 0) {
+ ret = krb524_convert_creds_kdc(context, id, &cred, &c);
+ if(ret == 0) {
+ snprintf(krb4tkfile,sizeof(krb4tkfile),"%s%d",TKT_ROOT,
+ getuid());
+ krb_set_tkt_string(krb4tkfile);
+ tf_setup(&c, c.pname, c.pinst);
+ if (chown(krb4tkfile, pw->pw_uid, pw->pw_gid) < 0)
+ syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]);
+
+ }
+ memset(&c, 0, sizeof(c));
+ krb5_free_creds_contents(context, &cred);
+ }
+ krb5_free_principal(context, mcred.server);
+ }
+ return 0;
+}
+#endif
+
+/*
* Attempt to log the user in using Kerberos authentication
*
* return 0 on success (will be logged in)
@@ -461,6 +518,10 @@
if (k5_verify_creds(kcontext, ccache) < 0)
return (1);
+#ifdef KERBEROS
+ if ((kerror = krb5_to4(pw, kcontext, ccache)) != 0)
+ krb5_warn(kcontext, kerror, "error converting krb4 creds");
+#endif
/* Success */
notickets = 0;
@@ -471,7 +532,7 @@
* Remove any credentials
*/
void
-k5destroy()
+k5destroy(void)
{
krb5_error_code kerror;
krb5_ccache ccache = NULL;
>Release-Note:
>Audit-Trail:
>Unformatted: