| < remctl 2.10 | Russ Allbery > Eagle's Path > August 2007 |
MIT Kerberos uses an annoying structure for Kerberos principals. Rather than giving you nul-terminated strings, all the portions of a Kerberos principal are krb5_data structs with a length attribute. It is nice in that it means principals could contain nul characters if anyone wished, but it's hard to deal with in C.
It turns out that kadmin nul-terminates principal instances, and the previous krb5-sync versions were relying on that. However, when processing kpasswd protocol requests, it doesn't, which was causing root instances to not be propagated properly into Kerberos v4 at Stanford (and may be behind some of the crashes we were seeing in kadmind). My previous code for checking the instance for propagation also didn't cope with some cases where the instance was a substring of an allowed instance.
I rewrote the whole checking loop as a state machine to fix both of these problems, and now it seems to work.
You can get the latest version from the krb5-sync distribution page.
Posted: 2007-08-27 14:58 — Why no comments?
| < remctl 2.10 | Russ Allbery > Eagle's Path > August 2007 |