Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 6 Sep 2011 05:05:01 GMT
From:      Ben Kaduk <kaduk@mit.edu>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/160500: [patch] security/krb5 take upstream patch to fix kadmin
Message-ID:  <201109060505.p86551cb059840@red.freebsd.org>
Resent-Message-ID: <201109060510.p865A2qH071184@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         160500
>Category:       ports
>Synopsis:       [patch] security/krb5 take upstream patch to fix kadmin
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 06 05:10:01 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Ben Kaduk
>Release:        9-current
>Organization:
MIT SIPB
>Environment:
FreeBSD ambage.mit.edu 9.0-CURRENT FreeBSD 9.0-CURRENT #29: Thu May 12 23:38:56 EDT 2011     kaduk@hysteresis.mit.edu:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
I recently needed to bump the kvno of a keytab at a site with a MIT kerberos deployment (i.e. ATHENA.MIT.EDU).  The pain of running MIT krb5 on a system with heimdal in base aside, once I set up a jail built with WITHOUT_KERBEROS=yes and installed krb5, I was *still* unable to use k5srvutil (well, kadmin) to update the key (or, in fact, do anything with kadmin):
       # KRB5_TRACE=/dev/stdout kadmin -p zonetest
       Authenticating as principal zonetest with password.
       Password for zonetest@ATHENA.MIT.EDU: [inputs password]
       kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

On the MIT Zephyr IM system, Kerberos developer Greg Hudson suggested that I needed a patch which is due to come out in 1.9.2,
https://github.com/krb5/krb5-anonsvn/commit/043533c2f13d2bc69316fdf5ef80f0db581df40f

Getting an actual patch file from the github interface seems difficult, but I applied the patch ~by-hand to produce the attached.

Please consider including the patch in our port pending the 1.9.2 release.
>How-To-Repeat:
Try to use kadmin.
>Fix:


Patch attached with submission follows:

--- lib/rpc/clnt_tcp.c.orig	2011-09-06 02:05:14.000000000 +0000
+++ lib/rpc/clnt_tcp.c	2011-09-06 02:10:30.000000000 +0000
@@ -187,9 +187,16 @@
 	ct->ct_sock = *sockp;
 	ct->ct_wait.tv_usec = 0;
 	ct->ct_waitset = FALSE;
-	if (raddr == NULL)
-	    memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+	if (raddr == NULL) {
+	/* Get the remote address from the socket, if it's IPv4. */
+	struct sockaddr_in sin;
+	socklen_t len = sizeof(sin);
+	int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
+	if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
+      ct->ct_addr = sin;
 	else
+      memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+    } else
 	    ct->ct_addr = *raddr;
 
 	/*


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109060505.p86551cb059840>