Subject: lib/19206: GSSAPI using daemons fail when root has a krb5 CC
To: None <>
From: None <>
List: netbsd-bugs
Date: 11/29/2002 16:27:08
>Number:         19206
>Category:       lib
>Synopsis:       GSSAPI using daemons fail when root has a krb5 CC
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 29 13:28:00 PST 2002
>Originator:     Roland Dowdeswell
>Release:        NetBSD 1.6_BETA1
	The Fall of Imrryr
System: NetBSD 1.6_BETA1 NetBSD 1.6_BETA1 (ARIOCH) #0: Fri Jun 28 12:36:20 EDT 2002 alpha
Architecture: alpha
Machine: alpha
     $Heimdal: acquire_cred.c,v 1.10 2002/08/20 12:02:45 nectar Exp $
     $NetBSD: acquire_cred.c,v 1.9 2002/11/28 11:21:16 elric Exp $
	If you are using GSSAPI to negotiate, e.g. IPsec, the
	negotiations will begin to fail if root logs in and runs
	kinit(1).  This, I think, is counter-intuitive behaviour.
	(Of course, since I am running NFS over IPsec, the first
	symptom that I saw was NFS hanging, but...)
	Use GSSAPI w/ racoon or imapd and note that if root performs
	a kinit(1) with the CC in the default location then these
	services begin to fail, claiming that they can't find the
	right principal.
	I think that the right fix is for the GSSAPI code to if it
	is looking for a specific principal to continue to search
	beyond the credentials cache if the cache contains the
	wrong principal.  This is a quick patch which I haven't
	tested but include as a suggestion of how to fix it for
	comment.  If this is generally considered a good start,
	then I shall fix it up, test it and check it in.  Most
	notably, I have not yet paid attention to cleanup and
	memory allocation issues.
Index: acquire_cred.c
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/acquire_cred.c,v
retrieving revision 1.9
diff -u -r1.9 acquire_cred.c
--- acquire_cred.c	2002/11/28 11:21:16	1.9
+++ acquire_cred.c	2002/11/29 21:25:24
@@ -96,8 +96,13 @@
     } else if (handle->principal != NULL &&
 	krb5_principal_compare(gssapi_krb5_context, handle->principal,
 	def_princ) == FALSE) {
-	goto end;
+	/*
+	 * this is the wrong principal, but that doesn't mean that the
+	 * keytab does not contain the correct principal.  Clean up
+	 * the principal and fall through.
+	 */
+	krb5_free_principal(gssapi_krb5_context, def_princ);
+	def_princ = NULL;             
     if (def_princ == NULL) {
 	/* We have no existing credentials cache,