Package: libkrb53 Version: 1.6.dfsg.4~beta1-5lenny6 Severity: normal Windows Server 2008 R2 when run as a RODC expects the name-type of NT-SRV-INST rather than NT-UNKNOWN (1) which is set by default. This results in integrity check failures during the TGS-REQ to the RODC.
This has been discussed in detail here: http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/9166 http://web.archiveorange.com/archive/v/IPyW4MzUjy9elnnElVwz With an upstream fix applied in 1.8.4 applied to resolve this issue as: http://src.mit.edu/fisheye/changelog/krb5/?cs=24438 It's not possible, without much breakage to run the 1.9 release of libkrb53 without breaking many dependencies, so it would be good to backport this fix into the stable and oldstable releases. The fix appears relatively straightforward, however the patch intended for 1.8.4 will not apply at all to 1.6. This issue only affects RODCs, directly authenticating against a writeable DC (which is usually not possible in environments that run RODCs) running Win2K8 R2 works fine. -- System Information: Debian Release: 5.0.8 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686-bigmem (SMP w/1 CPU core) Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages libkrb53 depends on: ii libc6 2.7-18lenny7 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libkeyutils1 1.2-9 Linux Key Management Utilities (li libkrb53 recommends no packages. Versions of packages libkrb53 suggests: pn krb5-doc <none> (no description available) pn krb5-user <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org