Opened 3 years ago

Closed 2 years ago

#1608 closed defect (fixed)

Fix and enhance kerberos username checking

Reported by: opoplawski Owned by:
Priority: normal Milestone:
Component: sge Version: 8.1.9
Severity: minor Keywords:


I'm running in an IPA/Active Directory trust setup where the users are stored in the AD domain (@AD.NWRA.COM), and the hosts are in the IPA domain (@NWRA.COM). Therefore the code in gsslib_put_credentials that was using gss_compare_name() to compare users ended up comparing "orion" to "orion@…". I changed that part of the code to also try using gss_localname() to convert the client principal to a local username and comparing that.

Also, the later code that called krb5_kuserok() segfaulted because it was erroneously casting gss_name_t to krb5_principal. The second part of the patch attempts to do this conversion properly but as of now that is untested.

Also, the code in this patch attempts to initialize and free buffers appropriately, which is not done in much of the rest of the code in sge_gsslib.c. This probably isn't a big deal at the moment as this is currently executed by short lived executables. But if this is ever moved into sge_qmaster/execd directly it will be a problem.

Attachments (2)

sge-krb5.patch (4.3 KB) - added by opoplawski 3 years ago.
0002-Silence-security-gss-sge_gsslib.c-151-14-warning-var.patch (1.2 KB) - added by opoplawski 3 years ago.
Silence unused variable warning

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by opoplawski


Changed 3 years ago by opoplawski

Silence unused variable warning

comment:1 Changed 2 years ago by dlove

  • Resolution set to fixed
  • Status changed from new to closed

In 4984/sge:

Fix #1608: Fix and enhance kerberos username checking

Note: See TracTickets for help on using tickets.