heimdal icon indicating copy to clipboard operation
heimdal copied to clipboard

Published 20 hours ago verified publisher icon heimdal

Default credentials cache type on Mac OS changed from "API:" to "FILE:"

Open SimonWilkinson opened this issue 4 years ago • 8 comments

With version 7.x, the default credentials cache type on Mac OS is "API:", which allows Heimdal to interoperate with the system Kerberos (which never defines KRB5CCNAME).

With master, the default credentials cache type is "FILE:", which breaks compatibility with the system Kerberos unless the user explicitly sets KRB5CCNAME.

SimonWilkinson avatar Aug 28 '20 11:08 SimonWilkinson

Looks like this could have been introduced in f70ccfa967. The get_default_cc_type() function does not respect KRB5_DEFAULT_CCTYPE, which is defined differently on Apple platforms.

lhoward avatar Aug 29 '20 02:08 lhoward

@nicowilliams, should get_default_cc_type() ever return NULL? Some callers assume it never returns NULL, but this also means that krb5_cc_configured_default_name() will not execute the code subsequent to its invocation (from #ifdef WIN32) which may not be what is intended.

lhoward avatar Aug 29 '20 02:08 lhoward 

diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c
index a752f65f3..43c936f42 100644
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -283,7 +283,7 @@ get_default_cc_type(krb5_context context, int simple)
                 return context->cc_ops[i]->prefix;
         }
     }
-    return def_cctype ? def_cctype : "FILE";
+    return def_cctype ? def_cctype : KRB5_DEFAULT_CCTYPE->prefix;
 }

should fix @SimonWilkinson's report but, this is probably not the complete solution. Likely some of the logic from krb5_cc_configured_default_name() needs to be moved into get_default_cc_type(), to not regress on Windows.

lhoward avatar Aug 29 '20 03:08 lhoward

Functions which assume get_default_cc_type() does not return NULL:

  • krb5_cc_new_unique()
  • krb5_cc_default_sub()/krb5_cc_default_for() (AFAICT)

Can return NULL:

  • krb5_cc_resolve_sub()
  • krb5_cc_configured_default_name()

lhoward avatar Aug 29 '20 03:08 lhoward

@SimonWilkinson wrote: With 0c0ac807c18bec2af4323894e299520b026aa781 and no KRB5CCNAME set, and running "kinit" from a remote shell session, I get "kinit: resolving credentials cache: No credentials cache file found"

jaltman avatar Aug 31 '20 13:08 jaltman

If you change the behaviour of how the default CC is found, please make it consistent among all the k* commands and check that the behaviour is like the manual page describes it, especially with respect to what effect setting KRB5CCNAME has. This is for example not the case with the binaries delivered in MacOS BigSur.

Regards, Harald.

habazut avatar Apr 20 '21 20:04 habazut

Binaries delivered on Big Sur are not from this project. Apple forked years ago.

On Apr 20, 2021, at 4:41 PM, habazut @.) @.> wrote:

 If you change the behaviour of how the default CC is found, please make it consistent among all the k* commands and check that the behaviour is like the manual page describes it, especially with respect to what effect setting KRB5CCNAME has. This is for example not the case with the binaries delivered in MacOS BigSur.

Regards, Harald.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.

jaltman avatar Apr 20 '21 21:04 jaltman

There have been fixes since. Can you try again?

nicowilliams avatar Apr 20 '21 23:04 nicowilliams