Bug 1057333 - authenticate_gss_client_wrap() fails to wrap username correctly
Summary: authenticate_gss_client_wrap() fails to wrap username correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: python-kerberos
Version: 6.4
Hardware: All
OS: Linux
medium
urgent
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1057338 1061410 1112373
TreeView+ depends on / blocked
 
Reported: 2014-01-23 20:37 UTC by A. Jesse Jiryu Davis
Modified: 2014-10-14 08:27 UTC (History)
0 users

Fixed In Version: python-kerberos-1.1-7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1057338 1112373 (view as bug list)
Environment:
Last Closed: 2014-10-14 08:27:34 UTC
Target Upstream Version:


Attachments (Terms of Use)
demonstration program (1.07 KB, text/x-python)
2014-02-11 20:30 UTC, Rob Crittenden
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1600 0 normal SHIPPED_LIVE python-kerberos bug fix update 2014-10-14 01:39:43 UTC

Description A. Jesse Jiryu Davis 2014-01-23 20:37:37 UTC
Description of problem:

python-kerberos 1.1 includes an off-by-one bug, with the result that it incorrectly encodes the Kerberos username into a GSSAPI message and authentication always fails. The bug was reported and fixed upstream:

http://trac.calendarserver.org/ticket/355

Version-Release number of selected component (if applicable):

1.1

How reproducible:

Always.

Additional info:

Remove the " + 1" from the end of line 358 in python-kerberos-1.1/src/kerberosgss.c and rebuild python-kerberos. Authentication now succeeds. This is the fix to issue 355 upstream:

http://trac.calendarserver.org/ticket/355

http://trac.calendarserver.org/changeset?reponame=&new=4895%40PyKerberos%2Ftrunk&old=4241%40PyKerberos%2Ftrunk

Comment 2 A. Jesse Jiryu Davis 2014-01-23 20:58:49 UTC
Discovered via this PyMongo bug report:

https://jira.mongodb.org/browse/PYTHON-626

Comment 3 Rob Crittenden 2014-02-11 20:30:41 UTC
Created attachment 861987 [details]
demonstration program

You need a Kerberos server to test against. I tested with IPA using this:

# ipa-server-install ...
# kinit admin
# ipa service-add test/`hostname` --force
# ipa-getkeytab -s `hostname` -p test/`hostname` -k test.keytab
# export KRB5_KTNAME=`pwd`/test.keytab
# python wrap.py 

Prior to the fix the response is `admin@EXAMPLE.COM\x00' and with the fix just 'admin@EXAMPLE.COM' where EXAMPLE.COM is your Kerberos realm.

Comment 5 Namita Soman 2014-09-08 19:06:02 UTC
Verified using ipa-server-3.0.0-42.el6.x86_64, python-kerberos-1.1-7.el6.x86_64

Took steps as recommended above:

# kinit admin
Password for admin@TESTRELM.TEST:

# ipa service-add test/`hostname` --force
----------------------------------------------------------
Added service "test/idm-qe-03.testrelm.test@TESTRELM.TEST"
----------------------------------------------------------
  Principal: test/idm-qe-03.testrelm.test@TESTRELM.TEST
  Managed by: idm-qe-03.testrelm.test

# ipa-getkeytab -s `hostname` -p test/`hostname` -k test.keytab
Keytab successfully retrieved and stored in: test.keytab

# export KRB5_KTNAME=`pwd`/test.keytab

# vim wrap.py [Updated service = "test@idm-qe-03.testrelm.test" ]

# python wrap.py
User 'admin@TESTRELM.TEST'

Comment 6 errata-xmlrpc 2014-10-14 08:27:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1600.html


Note You need to log in before you can comment on or make changes to this bug.