Hello all,
it seem we have found proper origin of problems on our Digital Unix 4.0D
server, where users getting /usr/athena/bin/login for authorization were getting
UID 0 (proper UID, GID, but LUID = 0 ). I communicated with a developer of
kerberos IV and one person related to Digital developers in February '98, about
this problem. The conclusion was that it's a bug in DU.
This problem we found with 0.9.8 release of krb4 right after moving from Digital
Unix 4.0B to 4.0D. Because we did not recompile krb4 binaries, we knew the
problem must be in shared libs in 4.0D.
The machine has now installed all patches available from Digital up-to-date.
We run Krb-0.9.9, have properly modified /etc/sia/matrix.conf to support
kerberos.
We hope still it's a bug in Digital SIA modules, not in Kerberos modules, but
want to check.
Today we noticed strange behavior. User root was getting his tickets overwritten
with user tickets. Simply owner of /tmp/tkt0 was someone else, the file was a
valid ticket .... ;-)
Problem was tracked to IMAP-4.2. IMAP was compiled without kerberosIV suuport,
but with OSF C2 support. We newer made it work with kerberos, although we wanted
VERY much IMAP to support KRB4! So user applications periodically logging in
like netscape mail were somehow leaving tickets for these users in /tmp/tkt0.
Briefly: After logging in using IMAP daemon, they got login UID of 0, I don't
know why they got a ticket, because imap was not compiled to support kerberos,
but simply their tickets were saved in /tmp/tkt$LUID.
We wrote a small demo program, running on some port from /etc/inetd.conf.
The program just logged in some user, printed return value, login UID,
and gave you "somehow" ticket of that user. See below.
The questions are:
1. Is this function really on in libc, or is is also in any of kerberos parts?
(Can someone check krb4-sources).
2. Is the problem with /usr/athena/bin/login related to same buggy function,
i.e. for same reason gives the user LUID = 0 ?
( login.c does not seem to call sia_validate_user directly).
3. Can someone successfully test it also on his machines? Results?
4. Any explanation why user of applications NOT supporting kerberos were getting
tickets?
TIA
Martin
--------------------
root_at_prfdec# klist
Ticket file: /tmp/tkt0
klist: No ticket file (tf_util)
root_at_prfdec# telnet www 24
Trying 195.113.56.1...
Connected to prfdec.natur.cuni.cz.
Escape character is '^]'.
1
luid = 4294967295
Connection closed by foreign host.
root_at_prfdec# klist
Ticket file: /tmp/tkt0
Principal: komanek_at_NATUR.CUNI.CZ
Issued Expires Principal
Aug 18 17:29:30 Aug 18 19:34:30 krbtgt.NATUR.CUNI.CZ_at_NATUR.CUNI.CZ
Aug 18 17:29:30 Aug 18 19:34:30 rcmd.prfdec_at_NATUR.CUNI.CZ
root_at_prfdec# more demo.c
/* - Works on Digital Unix 4.0D, jumbo patch duv40das00002-19980717.tar installed */
/* - needs to compiled with -lsecurity */
/* - hostname may not be a real name */
#define NIL NULL
#include <prot.h>
#include <sia.h>
#include <siad.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
printf("\n%d\n\n",sia_validate_user(NIL,argc,argv,"hostname","username",NIL,NIL,NIL,"password"));
printf("luid = %ld\n", (long)getluid());
}
-------------------------------------------------------------------------
| Martin MOKREJS - Net&SysAdmin |
| PGP 5.0i key at: finger://mail.natur.cuni.cz/mmokrejs |
| mmokrejs_at_natur.cuni.cz Faculty of Science, The Charles University |
| tel.: +420-2-2195 2315 Albertov 6, PRAGUE 2, 128 43, Czech Republic |
-------------------------------------------------------------------------
Received on Tue Aug 18 1998 - 16:22:24 NZST