Your message dated Thu, 8 Apr 2010 15:13:54 +1000
with message-id <[email protected]>
has caused the report #574774,
regarding heimdal-kdc: KDC stops granting tickets
to be marked as having been forwarded to the upstream software
author(s) [email protected]
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
574774: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574774
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Hello,
I received this bug report several weeks ago for the Heimdal GIT
version that accidentally made its way into Debian unstable.
Any ideas? It it worth upgrading to the latest git version?
Current version in Debian is:
commit 313a2243bbe913b36bb785b75e2b0483d31d8a35
Author: Love Hornquist Astrand <[email protected]>
Date: Tue Mar 16 09:09:27 2010 -0700
For more details see <http://bugs.debian.org/574774>
Thanks.
On 21 March 2010 08:49, Richard A Nelson <[email protected]> wrote:
> Package: heimdal-kdc
> Version: 1.4.0~git20100221.dfsg.2-2
> Severity: important
>
> I was about to mark this critical, when I found it only affects one of
> my realms - the other seems to work fine ?!?
>
> I have two realm, with similar setups:
> *) 32 and 64 bit KDC and clients
> *) Data stored in LDAP
> *) libssl0.9.8m-2
> *) The same krb5.conf (sans default realm)
> *) Needing weak auth (NFS and Windows XP):
> Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
> des-cbc-crc(pw-salt),
> aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt),
> arcfour-hmac-md5(pw-salt)
>
> On this realm, the 64 bit server answers all AS-REQ requests with:
> krb5_crypto_init failed: encryption key has bad length
> The 32bit server says:
> krb5_crypto_init failed: encryption type 168010328 not supported
>
> So, on the 32bit system I downgraded KDC to testing and wound with
> krb5_crypto_init failed: encryption key has bad length
>
> Downgrading KDC to stable and I'm back to bad enc type :(
> so it is more likely *one* of the libraries, but I no clue which :(
>
> The kdc logs look kosher (sans the error):
> 2010-03-20T21:09:48 AS-REQ authtime: 2010-03-20T21:09:48 starttime: unset
> endtime: 2010-09-16T21:09:48 renew till: 2010-04-19T21:09:48
> 2010-03-20T21:09:48 Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> des-cbc-md5, des-cbc-md4, des-cbc-crc, using
> des3-cbc-md5/aes256-cts-hmac-sha1-96
> 2010-03-20T21:09:48 Requested flags: renewable, forwardable
> 2010-03-20T21:09:48 krb5_crypto_init failed: encryption key has bad length
> 2010-03-20T21:09:48 sending 162 bytes to IPv4:127.0.0.1
>
> 2010-03-20T21:41:10 AS-REQ authtime: 2010-03-20T21:41:10 starttime: unset
> endtime: 2010-04-03T21:41:10 renew till: 2010-04-19T21:41:10
> 2010-03-20T21:41:10 Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> des-cbc-md5, des-cbc-md4, des-cbc-crc, using enctypes 140692640/18
> 2010-03-20T21:41:10 Requested flags: renewable, forwardable
> 2010-03-20T21:41:10 krb5_crypto_init failed: encryption type 140692640 not
> supported
> 2010-03-20T21:41:10 sending 172 bytes to IPv4:127.0.0.1
>
> Whereas the working realm has:
> 2010-03-20T21:15:25 AS-REQ authtime: 2010-03-20T21:15:25 starttime: unset
> endtime: 2010-04-03T21:15:25 renew till: 2010-06-27T21:15:25
> 2010-03-20T21:15:25 Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> des-cbc-md5, des-cbc-md4, des-cbc-crc, using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2010-03-20T21:15:25 Requested flags: renewable, proxiable
> 2010-03-20T21:15:25 sending 732 bytes to IPv4:127.0.0.1
>
> So, something is causing bad negotiation on some (but not all) realms :(
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers testing-proposed-updates
> APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'),
> (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages heimdal-kdc depends on:
> ii debconf [debc 1.5.28 Debian configuration management
> sy
> ii heimdal-clien 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - clients
> ii krb5-config 2.2 Configuration files for Kerberos
> V
> ii libasn1-8-hei 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - ASN.1 library
> ii libc6 2.10.2-6 Embedded GNU C Library: Shared
> lib
> pi libdb4.8 4.8.26-1 Berkeley v4.8 Database Libraries
> [
> ii libedit2 2.11-20080614-1 BSD editline and history
> libraries
> ii libgssapi2-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - GSSAPI support
> ii libhdb9-heimd 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - kadmin server
> l
> ii libkadm5srv8- 1.4.0~git20100221.dfsg.2-2 Libraries for Heimdal Kerberos
> ii libkdc2-heimd 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - KDC support
> lib
> ii libkrb5-26-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - libraries
> ii libncurses5 5.7+20100313-1 shared libraries for terminal
> hand
> ii libroken18-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - roken support
> l
> ii libsl0-heimda 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - SL support
> libr
> ii libssl0.9.8 0.9.8m-2 SSL shared libraries
> ii xinetd [inet- 1:2.3.14-7 replacement for inetd with many
> en
>
> Versions of packages heimdal-kdc recommends:
> ii logrotate 3.7.8-4 Log rotation utility
>
> Versions of packages heimdal-kdc suggests:
> ii heimdal-docs 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - documentation
>
> -- debconf information excluded
>
>
>
--
Brian May <[email protected]>
--- End Message ---
