Opened 13 months ago

#1608 new defect

Fix and enhance kerberos username checking

Reported by: opoplawski Owned by:
Priority: normal Milestone:
Component: sge Version: 8.1.9
Severity: minor Keywords:


I'm running in an IPA/Active Directory trust setup where the users are stored in the AD domain (@AD.NWRA.COM), and the hosts are in the IPA domain (@NWRA.COM). Therefore the code in gsslib_put_credentials that was using gss_compare_name() to compare users ended up comparing "orion" to "orion@…". I changed that part of the code to also try using gss_localname() to convert the client principal to a local username and comparing that.

Also, the later code that called krb5_kuserok() segfaulted because it was erroneously casting gss_name_t to krb5_principal. The second part of the patch attempts to do this conversion properly but as of now that is untested.

Also, the code in this patch attempts to initialize and free buffers appropriately, which is not done in much of the rest of the code in sge_gsslib.c. This probably isn't a big deal at the moment as this is currently executed by short lived executables. But if this is ever moved into sge_qmaster/execd directly it will be a problem.

Attachments (2)

sge-krb5.patch (4.3 KB) - added by opoplawski 13 months ago.
0002-Silence-security-gss-sge_gsslib.c-151-14-warning-var.patch (1.2 KB) - added by opoplawski 13 months ago.
Silence unused variable warning

Download all attachments as: .zip

Change History (2)

Changed 13 months ago by opoplawski


Changed 13 months ago by opoplawski

Silence unused variable warning

Note: See TracTickets for help on using tickets.