[OpenAFS] Usernames in pts

Mikkel Kruse Johnsen mikkel@linet.dk
Wed, 01 Aug 2007 12:42:56 +0200 

--=-DIkPDB9gMwR6OcNSwWxG
Content-Type: multipart/alternative; boundary="=-WS9cXShsSuEiCKkI2oLv"


--=-WS9cXShsSuEiCKkI2oLv
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hi Russ

Just patched with attacted patch. But I don't work.

Is that the only place. To me it seems that the name is spilt and it
checks if the first char is '.' (a dot). It should not spilt the name.

/Mikkel

On Wed, 2007-08-01 at 03:20 -0700, Russ Allbery wrote:

> Mikkel Kruse Johnsen <mikkel@linet.dk> writes:
> 
> > All of this is checked. If I do the same with a user not containing a
> > dot "root@CBS.DK" then it works. So it is because there is a dot in my
> > name.
> 
> You're being bitten by the code that tries to convert Kerberos v5
> principal names to the Kerberos v4 convention used by AFS.
> 
>     /* 
>      * If the first part of the name_string contains a dot, punt since
>      * then we can't see the diffrence between the kerberos 5
>      * principals foo.root and foo/root later in the fileserver.
>      */
>     if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)
>         goto bad_ticket;
> 
> (rxkad/ticket5.c).  I'm afraid you might be out of luck, at least with the
> current version of AFS, unless you patch this code and remove this check
> in your file servers.
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk

--=-WS9cXShsSuEiCKkI2oLv
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.14.3">
</HEAD>
<BODY>
Hi Russ<BR>
<BR>
Just patched with attacted patch. But I don't work.<BR>
<BR>
Is that the only place. To me it seems that the name is spilt and it checks if the first char is '.' (a dot). It should not spilt the name.<BR>
<BR>
/Mikkel<BR>
<BR>
On Wed, 2007-08-01 at 03:20 -0700, Russ Allbery wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Mikkel Kruse Johnsen &lt;<A HREF="mailto:mikkel@linet.dk">mikkel@linet.dk</A>&gt; writes:</FONT>

<FONT COLOR="#000000">&gt; All of this is checked. If I do the same with a user not containing a</FONT>
<FONT COLOR="#000000">&gt; dot &quot;<A HREF="mailto:root@CBS.DK">root@CBS.DK</A>&quot; then it works. So it is because there is a dot in my</FONT>
<FONT COLOR="#000000">&gt; name.</FONT>

<FONT COLOR="#000000">You're being bitten by the code that tries to convert Kerberos v5</FONT>
<FONT COLOR="#000000">principal names to the Kerberos v4 convention used by AFS.</FONT>

<FONT COLOR="#000000">    /* </FONT>
<FONT COLOR="#000000">     * If the first part of the name_string contains a dot, punt since</FONT>
<FONT COLOR="#000000">     * then we can't see the diffrence between the kerberos 5</FONT>
<FONT COLOR="#000000">     * principals foo.root and foo/root later in the fileserver.</FONT>
<FONT COLOR="#000000">     */</FONT>
<FONT COLOR="#000000">    if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)</FONT>
<FONT COLOR="#000000">        goto bad_ticket;</FONT>

<FONT COLOR="#000000">(rxkad/ticket5.c).  I'm afraid you might be out of luck, at least with the</FONT>
<FONT COLOR="#000000">current version of AFS, unless you patch this code and remove this check</FONT>
<FONT COLOR="#000000">in your file servers.</FONT>

</PRE>
</BLOCKQUOTE>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
Mikkel Kruse Johnsen<BR>
Linet<BR>
&#216;rholmgade 6 st tv<BR>
2200 K&#248;benhavn N<BR>
<BR>
Tlf: +45 2128 7793<BR>
email: mikkel@linet.dk<BR>
www: http://www.linet.dk
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-WS9cXShsSuEiCKkI2oLv--

--=-DIkPDB9gMwR6OcNSwWxG
Content-Disposition: attachment; filename=openafs-1.4.3-dot.patch
Content-Type: text/x-patch; name=openafs-1.4.3-dot.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit

diff -r -u openafs-1.4.3.orig/src/rxkad/ticket5.c openafs-1.4.3/src/rxkad/ticket5.c
--- openafs-1.4.3.orig/src/rxkad/ticket5.c	2006-06-30 01:25:49.000000000 +0200
+++ openafs-1.4.3/src/rxkad/ticket5.c	2007-08-01 12:27:32.000000000 +0200
@@ -323,8 +323,8 @@
      * then we can't see the diffrence between the kerberos 5
      * principals foo.root and foo/root later in the fileserver.
      */
-    if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)
-	goto bad_ticket;
+    //if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)
+	//goto bad_ticket;
 
     /* Verify that decr_part.key is of right type */
     switch (decr_part.key.keytype) {

--=-DIkPDB9gMwR6OcNSwWxG--