[cups.general] Strange kerberos problem [solved]

Michael Sweet mike at easysw.com
Tue Jan 29 11:25:18 PST 2008 

John Hodrien wrote:
> On Tue, 29 Jan 2008, John Hodrien wrote:
> 
>> Active Directory that I don't have direct access to.  In ways I've not 
>> yet
>> investigated I get a "large" ticket that the KDC sends over TCP rather 
>> than
>> UDP.  The ticket works just fine with smbclient or ldapsearch.  The 
>> largeness
>> I understand to be to do with being a member of many groups or 
>> similar.  I
>> need to read up more on that.  I'm going to try to find another 
>> complicated
>> user to see if cups also has problems with them.
>>
>> I'd never previously adequately considered what was stored within the
>> response to a kinit.
> 
> Hurrah, thank got for me being right this time!
> 
> cups/auth.c:
> 
> int                                     /* O - 0 on success, -1 on error */
> cupsDoAuthentication(http_t     *http,  /* I - HTTP connection to server */
>                      const char *method,/* I - Request method (GET, 
> POST, PUT) */
>                      const char *resource)
>                                         /* I - Resource path */
> {
>   const char    *password;              /* Password string */
>   char          prompt[1024],           /* Prompt for user */
>                 realm[HTTP_MAX_VALUE],  /* realm="xyz" string */
>                 nonce[HTTP_MAX_VALUE],  /* nonce="xyz" string */
>                 encode[4096];          /* Encoded username:password */
> 
> There's the hardcoded limit, that means the encoded string can't exceed 
> 4096
> or else it all goes to pot.  Upped this to 8192 and my problems have gone
> away.  Perhaps a dynamic length based on output_token.length would be a 
> better
> idea?
> 
> I suspect there's a few of these lying around, but I've not spent the 
> time to
> find them.  That's something for tomorrow.
> 
> I'm only a member of around 25 groups, so it can clearly bite quite easily.

Can you file a bug on this:

     http://www.cups.org/str.php

Microsoft seems to love creating huge credentials - any non-Windows
KDC is able to keep the credentials under 2k, even with large
numbers of groups...

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com

More information about the cups mailing list