From 198a4c970ee3cce9dcf3c49fd178d3e1fc3c6c9b Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 13 Oct 2014 17:48:05 -0400 Subject: [PATCH] aklog 1.6: make krb5_524 non-fatal for native K5 tokens The krb5_524_conv_principal() function should fail whenever the Kerberos v5 principal cannot safely be mapped onto a Kerberos v4 principal, and does fail on some Kerberos v5 principals used in real-world AFS deployments. Prior to this patchset a failure was treated as a fatal error that in turn prevents an AFS token from being generated or set into the cache manager. Prior to b1f9b4cb5dd295162ae51704310e9d6058008f0a the krb5_524_conv_principal() function wasn't used and a local client mapping was created. b1f9b4cb5dd295162ae51704310e9d6058008f0a replaced the local mapping with the krb5 function because the local mapping could be wrong and confusing. The krb5_524_conv_principal() function as applied to AFS tokens is just a local guess. How the username in the token is interpreted by the AFS server is up to the server. krb5_524_conv_principal() is only used for Krb5 native tokens. For Krb4 tokens the krb5_524_convert_creds() function is used to obtain both the Kerberos v4 ticket and the converted names from the KDC. Many organizations used the krb524d service to perform name translation. When the krb524d service is used, the name translation is performed by the KDC, so there is no local call to krb5_524_conv_principal() which might fail. As a result, disallowing the use of a native Krb5 token due to a failed local name translation is a needless loss of functionality; the local name translation is not an essential part of obtaining a token. This patchset modifies the behavior such that krb5_524_conv_principal() errors are non-fatal. 1. If -noprdb is not specified the error message is generated and a NULL username is used. 2. If the username is NULL the prdb lookup is disabled. 3. If the username is NULL the informational messages do not include a username. 4. If the username is NULL the username info provided to the cache manager in the token description is the nul string. This patchset is an openafs-stable-1_6_x specific version of the patch. The master version was submitted to http://gerrit.openafs.org/#change,11542 Credit to Ben Kaduk for assistance with the wording of this commit message. Change-Id: If12ae69394321fa7b7a182c9db95716bc66e489c Reviewed-on: http://gerrit.openafs.org/11538 Reviewed-by: Benjamin Kaduk Tested-by: BuildBot Reviewed-by: Jeffrey Altman Reviewed-by: Stephan Wiesand --- doc/man-pages/pod1/aklog.pod | 17 ++++++++++--- src/aklog/aklog.c | 49 +++++++++++++++++++++++------------- 2 files changed, 45 insertions(+), 21 deletions(-) diff --git a/doc/man-pages/pod1/aklog.pod b/doc/man-pages/pod1/aklog.pod index a6c881e86..740118d52 100644 --- a/doc/man-pages/pod1/aklog.pod +++ b/doc/man-pages/pod1/aklog.pod @@ -36,13 +36,15 @@ specified with B<-k>. B<-k> cannot be used in B<-path> mode (see below). When a Kerberos 5 cross-realm trust is used, B looks up the AFS ID corresponding to the name (Kerberos principal) of the person invoking the command, and if the user doesn't exist and the -system:authuser@FOREIGN.REALM PTS group exists, then it attempts automatic +C PTS group exists, then it attempts automatic registration of the user with the foreign cell. The user is then added to -the system:authuser@FOREIGN.REALM PTS group if registration is successful. +the C PTS group if registration is successful. Automatic registration in the foreign cell will fail if the group quota -for the system:authuser@FOREIGN.REALM group is less than one. Each +for the C group is less than one. Each automatic registration decrements the group quota by one. +=head1 CAUTIONS + When using B, be aware that AFS uses the Kerberos v4 principal naming format, not the Kerberos v5 format, when referring to principals in PTS ACLs, F, and similar locations. AFS will internally map @@ -54,6 +56,15 @@ entry for the Kerberos v5 principal C, refer to it as C, and for the principal C, refer to it as C. +The B mapping of Kerberos v5 principal to Kerberos v4 principal and +the determination that a Kerberos realm is foreign is performed in the +absence of the actual AFS server configuration. If the B mapping +of Kerberos v5 principal to Kerberos v4 principal or the foreign realm +determination is wrong, the PTS name-to-id lookup will produce the wrong +AFS ID for the user. The AFS ID is only used for display purposes and +should not be trusted. Use the B<-noprdb> switch to disable the PTS +name-to-id lookup. + =head1 OPTIONS =over 4 diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c index a09534048..eb661fabd 100644 --- a/src/aklog/aklog.c +++ b/src/aklog/aklog.c @@ -624,7 +624,8 @@ out: * structure which should be freed by the caller. * @param[out[ userPtr * A string containing the principal of the user to whom the token was - * issued. This is a malloc'd block which should be freed by the caller. + * issued. This is a malloc'd block which should be freed by the caller, + * if set. * * @returns * 0 on success, an error value upon failure @@ -632,7 +633,7 @@ out: static int rxkad_build_native_token(krb5_context context, krb5_creds *v5cred, struct ktc_token **tokenPtr, char **userPtr) { - char username[BUFSIZ]; + char username[BUFSIZ]=""; struct ktc_token *token; #ifdef HAVE_NO_KRB5_524 char *p; @@ -657,14 +658,15 @@ rxkad_build_native_token(krb5_context context, krb5_creds *v5cred, (char *) &k4inst, (char *) &k4realm); if (status) { - afs_com_err(progname, status, "while converting principal " - "to Kerberos V4 format"); - return AKLOG_KERBEROS; - } - strcpy (username, k4name); - if (k4inst[0]) { - strcat (username, "."); - strcat (username, k4inst); + if (!noprdb) + afs_com_err(progname, status, + "while converting principal to Kerberos V4 format"); + } else { + strcpy (username, k4name); + if (k4inst[0]) { + strcat (username, "."); + strcat (username, k4inst); + } } #else len = min(get_princ_len(context, v5cred->client, 0), @@ -701,8 +703,8 @@ rxkad_build_native_token(krb5_context context, krb5_creds *v5cred, memcpy(token->ticket, v5cred->ticket.data, token->ticketLen); *tokenPtr = token; - *userPtr = strdup(username); - + if (username[0] != '\0') + *userPtr = strdup(username); return 0; } @@ -805,7 +807,8 @@ rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred, * be freed by the caller. * @parma[out] authuser * A string containing the principal of the user to whom the token was - * issued. This is a malloc'd block which should be freed by the caller. + * issued. This is a malloc'd block which should be freed by the caller, + * if set. * @param[out] foreign * Whether the user is considered as 'foreign' to the realm of the cell. * @@ -839,7 +842,7 @@ rxkad_get_token(krb5_context context, struct afsconf_cell *cell, char *realm, /* We now have the username, plus the realm name, so stitch them together * to give us the name that the ptserver will know the user by */ - if (realmUsed == NULL) { + if (realmUsed == NULL || username == NULL) { *authuser = username; username = NULL; *foreign = 0; @@ -893,7 +896,9 @@ set_kernel_token(struct afsconf_cell *cell, char *username, { struct ktc_principal client, server; - strncpy(client.name, username, MAXKTCNAMELEN - 1); + strncpy(client.name, + username ? username : "", + MAXKTCNAMELEN - 1); strcpy(client.instance, ""); strncpy(client.cell, cell->name, MAXKTCREALMLEN - 1); @@ -1003,7 +1008,10 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell) noprdb = 1; #endif - if (noprdb) { + if (username == NULL) { + afs_dprintf("Not resolving name to id\n"); + } + else if (noprdb) { afs_dprintf("Not resolving name %s to id (-noprdb set)\n", username); } else { @@ -1082,9 +1090,14 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell) } } - afs_dprintf("Set username to %s\n", username); + if (username) { + afs_dprintf("Set username to %s\n", username); - afs_dprintf("Setting tokens. %s @ %s \n", username, cellconf.name); + afs_dprintf("Setting tokens. %s @ %s\n", + username, cellconf.name); + } else { + afs_dprintf("Setting tokens for cell %s\n", cellconf.name); + } #ifndef AFS_AIX51_ENV /* on AIX 4.1.4 with AFS 3.4a+ if a write is not done before -- 2.39.5