[cups.general] Strange kerberos problem [solved]
Michael Sweet
mike at easysw.com
Tue Jan 29 11:25:18 PST 2008
John Hodrien wrote:
> On Tue, 29 Jan 2008, John Hodrien wrote:
>
>> Active Directory that I don't have direct access to. In ways I've not
>> yet
>> investigated I get a "large" ticket that the KDC sends over TCP rather
>> than
>> UDP. The ticket works just fine with smbclient or ldapsearch. The
>> largeness
>> I understand to be to do with being a member of many groups or
>> similar. I
>> need to read up more on that. I'm going to try to find another
>> complicated
>> user to see if cups also has problems with them.
>>
>> I'd never previously adequately considered what was stored within the
>> response to a kinit.
>
> Hurrah, thank got for me being right this time!
>
> cups/auth.c:
>
> int /* O - 0 on success, -1 on error */
> cupsDoAuthentication(http_t *http, /* I - HTTP connection to server */
> const char *method,/* I - Request method (GET,
> POST, PUT) */
> const char *resource)
> /* I - Resource path */
> {
> const char *password; /* Password string */
> char prompt[1024], /* Prompt for user */
> realm[HTTP_MAX_VALUE], /* realm="xyz" string */
> nonce[HTTP_MAX_VALUE], /* nonce="xyz" string */
> encode[4096]; /* Encoded username:password */
>
> There's the hardcoded limit, that means the encoded string can't exceed
> 4096
> or else it all goes to pot. Upped this to 8192 and my problems have gone
> away. Perhaps a dynamic length based on output_token.length would be a
> better
> idea?
>
> I suspect there's a few of these lying around, but I've not spent the
> time to
> find them. That's something for tomorrow.
>
> I'm only a member of around 25 groups, so it can clearly bite quite easily.
Can you file a bug on this:
http://www.cups.org/str.php
Microsoft seems to love creating huge credentials - any non-Windows
KDC is able to keep the credentials under 2k, even with large
numbers of groups...
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
More information about the cups
mailing list