getprinc problems in 1.8b1

Marcus Watts mdw at umich.edu
Wed Feb 24 11:55:37 EST 2010 

Another set of problems surfaced recently here -- we found this
specifically in 1.6.3, but it turns out the problem got
worse in 1.7 and still exists in 1.8b1.

1. clarification
2. the problem
3. a patch
4. test script
5. sample output
6. perl gotcha

____ 1. clarification

To be clear: these problems both predate 1.8b1, and
don't manifest in the cli, only in code people might
write to use the administrative api directly.

____ 2. the problem

getprinc takes a mask that describes which attributes
it's supposed to return.  This can't be exercised from
the cli - it always asks for all attributes.  It can however
be exercised from C, perl, or (in our case) java.

There are 2 problems actually.  The first has to do with
KADM5_MOD_NAME.  If this attribute is NOT set, but
KADM5_MOD_TIME is, mod_name still returned.  Additionally,
if KADM5_PRINCIPAL is set, principal may not be returned
even though it should be.  Basically, the code is suppressing
the wrong returned data value.  This has been true since at least 1.6.3

The second has to do with mkvno.  This value is always
returned, regardless of whether KADM5_MKVNO is set.
This was new behavior in 1.7.  (1.6.3 had different
possibly broken behavior.)

____ 3. a patch

Here is a patch that fixes both problems,
/afs/umich.edu/group/itd/build/mdw/krb5.15x/patches/krb5-1.8b1-getprinc.patch

____ 4. test script

Here's a perl script that can be used to exercise this problem,
/afs/umich.edu/group/itd/build/mdw/comma/test-p5-getprinc

This needs
Authen::Krb5
Authen::Krb5::Admin
both available from cpan.

____ 5. sample output

and here's sample output, 4 test cases without
and with the patch:

without,

== test-p5-getprinc mdw last_modified_by
last_modified_by=admin at CATS.UMICH.EDU
mkvno=2

== test-p5-getprinc mdw principal last_modified_date
last_modified_by=admin at CATS.UMICH.EDU
last_modified_date=1264810906
mkvno=2

== test-p5-getprinc mdw principal last_modified_date last_modified_by
last_modified_by=admin at CATS.UMICH.EDU
last_modified_date=1264810906
mkvno=2
principal=mdw at CATS.UMICH.EDU

== test-p5-getprinc mdw mkvno
mkvno=2

with the patch,

== test-p5-getprinc mdw last_modified_by
last_modified_by=admin at CATS.UMICH.EDU

== test-p5-getprinc mdw principal last_modified_date
last_modified_date=1264810906
principal=mdw at CATS.UMICH.EDU

== test-p5-getprinc mdw principal last_modified_date last_modified_by
last_modified_by=admin at CATS.UMICH.EDU
last_modified_date=1264810906
principal=mdw at CATS.UMICH.EDU

== test-p5-getprinc mdw mkvno
mkvno=2

____ 6. perl gotcha

In the case of using perl, failing to return mod_name means
that naive code that looks at $ap->mod_name->data will segment
faults in the perl, attempting to dereference mod_name = 0.
Obviously the perl module could stand improvement too.

				-Marcus Watts

More information about the krbdev mailing list