[cups.general] Strange kerberos problem [solved]
John Hodrien
johnh at comp.leeds.ac.uk
Tue Jan 29 10:02:36 PST 2008
On Tue, 29 Jan 2008, John Hodrien wrote:
> Active Directory that I don't have direct access to. In ways I've not yet
> investigated I get a "large" ticket that the KDC sends over TCP rather than
> UDP. The ticket works just fine with smbclient or ldapsearch. The largeness
> I understand to be to do with being a member of many groups or similar. I
> need to read up more on that. I'm going to try to find another complicated
> user to see if cups also has problems with them.
>
> I'd never previously adequately considered what was stored within the
> response to a kinit.
Hurrah, thank got for me being right this time!
cups/auth.c:
int /* O - 0 on success, -1 on error */
cupsDoAuthentication(http_t *http, /* I - HTTP connection to server */
const char *method,/* I - Request method (GET, POST, PUT) */
const char *resource)
/* I - Resource path */
{
const char *password; /* Password string */
char prompt[1024], /* Prompt for user */
realm[HTTP_MAX_VALUE], /* realm="xyz" string */
nonce[HTTP_MAX_VALUE], /* nonce="xyz" string */
encode[4096]; /* Encoded username:password */
There's the hardcoded limit, that means the encoded string can't exceed 4096
or else it all goes to pot. Upped this to 8192 and my problems have gone
away. Perhaps a dynamic length based on output_token.length would be a better
idea?
I suspect there's a few of these lying around, but I've not spent the time to
find them. That's something for tomorrow.
I'm only a member of around 25 groups, so it can clearly bite quite easily.
jh
--
"Some women respond to the whip, some to the kiss. Most of them like a
mixture of both, but none of them answer to the mind alone, to the
intellectual demand, unless they are man dressed as woman."
-- Ian Fleming
More information about the cups
mailing list