Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5379
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | "A. Karl Kornel" <karl@kornel.us> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: macOS API ccache, kinit for multiple principals gives internal credentials cache error |
| Date | Mon, 17 Feb 2025 15:18:09 -0800 |
| Organization | TNet Consulting |
| Lines | 86 |
| Message-ID | <mailman.151.1739834302.2322.kerberos@mit.edu> (permalink) |
| References | <454ad95255b0e02a0ad42e2f2687740e@kornel.us> <202502130017.51D0Hgug009261@hedwig.cmf.nrl.navy.mil> <5088ed0bca390db875d6322977d681c6@kornel.us> |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8; format=flowed |
| Content-Transfer-Encoding | 8bit |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="5956"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| Cc | kerberos@mit.edu |
| To | Ken Hornstein <kenh@cmf.nrl.navy.mil> |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=FLk/tV0O |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vXj+oE3hDcWA68oV46vx3X+cpXT1QYoFwmQnUguewu4vaqo9xGmN2qToJ/ED/t1o+7MwPHKMe4sE8UtuaIuhGWDcoUqjthko3docCrS7z7en43NjvG3aZALBrAuLDKZDH2QVlqQplv91RxUFmhQ3lf/hyTy89C8KEscuNUvofWl5UcsZ63KAKQsVL1DR6BraEr8evBOII16I1oSUwCVcYum54vBeqFPWW5ODK6WmTYR1z77YCIVpFHrysF3BZUXrUGxDV/5zXnlSho4p4S9apUfYXYt6HaZ8zXBEMALkpS9zDUNf9rq/Qlr2Yuk1kO9wMdJ1KzkDAsQKYMjESvyksA== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oPwqm51NxMzZIxNjohptkMrDzHgE0tZmZm0uvg11Cl4=; b=P08D2YxiJFstY4TGCBt/BhOVjoPXsrnBAJ5V7Qw9L8nbIgUSh31BUGNF+gKZOYWWy+dNfDsqb8ldOt6RvbMiTWEibBVxhRPpHg+J0Ng3XZZEGuPLnj7W4TSTwiApuHTSGOCufhtINlvC0iS/JOygRwdK0R4If9dLCKR99475Kn1bxx4vhPRmdYES/ihJZUjRy+qsIWwwwkf+ZjWxicrgn4KaEGG/F3JA9lyehLVC12g4AiWj/8KzyAO8ut8k8LAn/BltRmDDwkXlAi4TZqv3TfUkXXgjv2ydQy/wBx+CsrklxFY1OkMy/HBoPvVp4EQZjUGjlod6Ky0zzaY6abEoGw== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.40.44.12) smtp.rcpttodomain=mit.edu smtp.mailfrom=kornel.us; dmarc=bestguesspass action=none header.from=kornel.us; dkim=none (message not signed); arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oPwqm51NxMzZIxNjohptkMrDzHgE0tZmZm0uvg11Cl4=; b=FLk/tV0O1KrqRVx8ZDWgZBiujG3ZWh3N8RNzZCbAXuM1tbIaM9a7ynRLpPiHGDIxt+oOpvZmm4Kz86HYzkcaTCk0iaUdh3DXjTRWKGpQ1PRkz8ngvLFO+EDwPGg8zSs4bLvrGw6UeqRhrYLaS2CGx6HAcE1KJxAPltaIAzVQ7Qc= |
| Authentication-Results | spf=pass (sender IP is 216.40.44.12) smtp.mailfrom=kornel.us; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=kornel.us; |
| Received-SPF | Pass (protection.outlook.com: domain of kornel.us designates 216.40.44.12 as permitted sender) receiver=protection.outlook.com; client-ip=216.40.44.12; helo=relay.hostedemail.com; pr=C |
| In-Reply-To | <202502130017.51D0Hgug009261@hedwig.cmf.nrl.navy.mil> |
| X-Sender | karl@kornel.us |
| X-Rspamd-Server | rspamout06 |
| X-Rspamd-Queue-Id | 6A5E833 |
| X-Stat-Signature | f6sfudc3h49dn8zq8bn6ynec4y1nmnj9 |
| X-Spam-Status | No, score=-2.25 |
| X-Session-Marker | 6B61726C406B6F726E656C2E7573 |
| X-Session-ID | U2FsdGVkX1/JxnLU3t6DFWNieP9msMs+zxFTdYhLnlc= |
| X-HE-Tag | 1739834289-869437 |
| X-HE-Meta | U2FsdGVkX18FlZ66cORq0fSvDb/buvOTBgq12LPVGI2qxT648/iHLganKe9udin91cm/tqSMnlDCspAWHqE2I2Om3MvKMRmSwUoZn+PiVAJMAELe5zZ1J2gWgjL+tldZU+qhtCGp9bz2w8msir2IQ0+8Aw/ro/TZ5moIIpXit1c1Gd48a/UR5QFbhJVo/HHvExA8E5n0Vb8KUvHDImhSGkVP1EeITy/5k6zisDUOsk/AfzgnbPAHW+XvObV3UH9y1ruStYiqwX4RmKpZXuYKVnTvkTF4ZneEq/ldRg4bxvzCqlr5kcB0dTrrH4w/LgvWpBr5MiYcTHLf/F1CKjrQ9ODCuWmOLsWACmACeZ4mQU3kqDIPG3mMXFWEBI6JDk1svM2zP8a4MGDK64BrQU+LRgkkUuhNN8s0 |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | SJ5PEPF000001F4:EE_|SA1PR01MB6543:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | 69172476-e3ae-4c7a-bf0b-08dd4fa958e5 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|48200799018|61400799027|376014|9140799003|13003099007|80162021|110056007; |
| X-Microsoft-Antispam-Message-Info | dD7R5cT7mdPhRVCFyEEZ9Q4mGuwAFS9BuNe5cu6ELx0810gAOxaA+nWSnogRoC8tCfz+4fJnEKC6OQy67RMFunRl45uaYaNMqCq3BqdUK5I6zzEw9yd6ZQOUu70GYorUHXOoeuPE8/2Vxcc38reRgXwqnUaWa8tdSPMB6eK3+Os1yUhsh+80jtLkegoT1zRyDmb3PglSbOvMQrgAgqPxs2sdC9V1+cKU3YLmnM3/vhsk3MPdJEK2cmZf3/m7JRlHhZUnYwxJ761KPLHTe5pjBIv5Zly+zBENoqn095xYAkkjyVWSdyvyGr9+pdrR3X6gB3vQ3y/cbfjqef/yel0PPN3TgnPGPgv4XOryf1tmwonwvMv6WyTyYYfQ5Ydl7T2eKZjVlX9qsWKOEqH/Hn8+UIikZk2JON+sHV1iwRQ/ZSB92Icfxc2Fb0B2Ku81H8aYIKvJnS2a3cXfY2RSNweTCPAmOdpa4lag3GxLDgbkN5JDnSlrneTwEmHVzQLEi8viMLH7tWOHttR3HIoup7Ys5AqtI4JUpn8fCdCKfCGlugickyB3DObNsRcyQ506sq/CbIndWRo3dfGM7pUx+4qDp6eau80uJEmTFUZmu3Pgep5p6UP/DNVzsqlZkYfNRkmZK0/iRvUOBEoXASE9NHsQpQbvfjftfzlbJ9v+QPJKvaVj3u9c4bXFhCk4UI7F5X4tH717m/nj85xl2dCqCZFGp4BrXPSeCYBVrK/5TVDGvJqa6+ENQw+vdDPuu96hnWcrMBlwkjvCT7qusNBl3qhEY/nSC1miP1YlcFirrt62e1ew1iu52dvhTqOkusFHkioHeENVGrH1QcEkzJTONoly9ZpQiFc2GnhRd6UnP+fzsCz0I/NK6AJbWTSlASeWxASrNPTrCaJS1M2YQkgdNtCTvK8GIrBAZ5wdZTufYiK6SrpgOw2eSoE3bAVi950khTBLsXRge4FKP//Jvou2WNpAorEA5QB+SHg3v7ls7W/OAvu1kJANTAtxzdjtdQJ0WBaPGjxaAgklwRdJGF9vfbmH+FmT/TWb9xq3NQ6O0SQStDMG7r2ReAK8CgzbGjMxal+/gyg15pHvGibIHQ6uOin4IpR3TnU3D31wj2b5ukKXSTnYPNGjKExpw1TgI5PjegQQH/HQHqmZpFNMpuv+n0qDgS6/tMdOojeOvcbbVX80hRq5NWxDkp4PBSBozwiqug6/HAWo2ubnDSZw98ZL6lOAXqQ8VgJ+P21HHh1p0mDHrS5pngu1vOhEcelyqeJdrHkXRIPhrW+SbeQH2yXDuxK8i17q0EzG6eZsfuM1Q9XBxDfKBLcEft6OQzl5OVkc5I64O/gJblCT6YNX3A81I5DxqMZxJ6Z9pdCDG0VILNZEZrs9u+0AaXK5NNTpP2QPxEWlqjR4zy6kWylsbaRlimc9N6WEi9bcVP3hUw+WYQ/fohsxjGjTve+0mqwKe2KgDwLgqVI33Z92EBYxPIFhPQAhqardujuAANvOSlk/umUw8Co= |
| X-Forefront-Antispam-Report | CIP:216.40.44.12; CTRY:CA; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:relay.hostedemail.com; PTR:smtprelay0012.hostedemail.com; CAT:NONE; SFS:(13230040)(48200799018)(61400799027)(376014)(9140799003)(13003099007)(80162021)(110056007); DIR:OUT; SFP:1102; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 17 Feb 2025 23:18:11.4434 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | 69172476-e3ae-4c7a-bf0b-08dd4fa958e5 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | SJ5PEPF000001F4.namprd05.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | SA1PR01MB6543 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <5088ed0bca390db875d6322977d681c6@kornel.us> |
| X-Mailman-Original-References | <454ad95255b0e02a0ad42e2f2687740e@kornel.us> <202502130017.51D0Hgug009261@hedwig.cmf.nrl.navy.mil> |
| Xref | csiph.com comp.protocols.kerberos:5379 |
Show key headers only | View raw
On 2025-02-12 04:17 PM, Ken Hornstein wrote: > <<<snip>>> > > The way that the MacOS X credential cache support works is that it > explicitly links in the MacOS X Kerberos framework when building MIT > Kerberos via the '-framework Kerberos' command-line option and then > makes calls to the ccapi functions to do the appropriate things. From > my memory, Heimdal took a slightly different approach and decided to > dlopen that framework library instead and then do the ccapi calls. > > My gut feeling is that this is a MacPorts problem, but I am open to > being proven wrong. That's entirely possible, and I should've tried to reproduce this on a stock krb5 build first. So, I just did that. I also switched to a macOS 15.3 system, which I'll be using from now on. To confirm, the steps I followed to build krb5: * Cloned from https://github.com/krb5/krb5.git * Checked out tag 'krb5-1.21.3-final' * `mkdir ~/bin/krb5` * `cd src && autoreconf` * `./configure --prefix "$HOME/bin/krb5" --enable-dns-for-realm --disable-pkinit && make && make install` With the build complete, I did the following tests: * `~/bin/krb5/bin/kdestroy -A` * `~/bin/krb5/bin/kinit -F akkornel@stanford.edu` -- works * `~/bin/krb5/bin/kinit -F akkornel/root@stanford.edu` -- fails * `~/bin/krb5/bin/klist -l` -- lists one ccache, for akkornel at stanford.edu So, still failing, unfortunately. > I think, however, you're going to have to debug > this yourself further; this looks like it is failing inside of > api_macos_gen_new(), and is probably failing in either cc_initialize(), > cc_context_create_new_ccache(), or cc_ccache_get_name(). I've never use LLDB before, but I decided to give it a try. On my first try, I got a warning about `kinit` being optimized. So, I erased "~/bin/krb5", set environment variable CFLAGS="-O0 -g", and re-ran the `./configure … && make && make install`. With the newly-installed non-optimized krb5, I reran my tests and got the same results: * `~/bin/krb5/bin/kdestroy -A` * `~/bin/krb5/bin/kinit -F akkornel@stanford.edu` -- works * `~/bin/krb5/bin/kinit -F akkornel/root@stanford.edu` -- fails * `~/bin/krb5/bin/klist -l` -- lists one ccache, for akkornel at stanford.edu So, debug time! I used… lldb -- ~/bin/krb5/bin/kinit -F akkornel/root@stanford.edu … to start LLDB. Then … breakpoint set --name api_macos_gen_new … to set the breakpoint. I ran until it hit the breakpoint, then started stepping through. * cc_initialize returned returned 0, so not that. * cc_context_create_new_ccache returned 2529639136. There we go. It took me some work, but I eventually realized that cc_context_create_new_ccache wasn't an actual function, and was resolving to the Kerberos Framework's context_create_new_ccache. I'm not sure how to debug macOS Frameworks. I tried single-stepping through assembly, and I noticed execution was making it through the Kerberos Framework and into the Heimdal Framework. And then back into MIT Kerberos code‽ I think the first parameter is a struct with a ton of pointers, and that's being passed around. I'll continue exploring. I'm also considering setting up a macOS VM—via UTM—to see if this also happens on a completely-clean system. ~ Karl
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: macOS API ccache, kinit for multiple principals gives internal credentials cache error "A. Karl Kornel" <karl@kornel.us> - 2025-02-17 15:18 -0800
csiph-web