[OpenAFS] klog.krb creates invalid K4 ticket files on x86_64 Linuxes

Russ Allbery rra@stanford.edu
Thu, 09 Aug 2007 11:07:30 -0700

Rainer Toebbicke <rtb@pclella.cern.ch> writes:

> AFS defines the "issue-date" in the ticket file alike the token
> "startTime" to be an afs_int32, whereas krb4 in MIT Kerberos 5 considers
> it a "long". Problems hence arise on platforms where long != afs_int32 -
> krb4-aware applications such as cvs fail because of invalid tickets.

> This is of course an issue only for very conservative installations -
> replacing klog.krb by Heimdal kinit or a MIT-kinit+aklog+krb524init
> script is a reasonable bypass.

> Could something break? KTH Kerberos and hence Heimdal with Krb4 used to
> consider this field a hard 32 bit as well, Debian sarge users *could*
> run into problems but AFAIK there is no sarge for amd64 and anyway they
> would use "kinit" and not klog.krb.

Yes, different Kerberos v4 libraries just don't agree on the size of this
field.  I'm not sure there's really a "right" file format.

I would argue that there's some possibility we care more about being
compatible with KTH Kerberos than with MIT Kerberos v4 compat libraries,
given that KTH Kerberos shipped with AFS support and may be more likely to
be in use at AFS installations.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>