Package: krb5-user
Version: 1.6.dfsg.1-6
Severity: grave
Justification: renders package unusable
Today I upgraded krb5-* to 1.6.dfsg.1-6. Now, ksu fails to work reporting:
"Wrong principal in request while verifying ticket for server"
This is obscure - I have never seen it before and googling fails to come
up with anything. This box also runs the KDC and Kadmind servers.
Related observations:
=========
I have not changed any previously working configuration related to kerberos.
kadmin works OK on same box, implying that client config and host keytab is
probably OK.
I did re-ktadd the host keytab and it makes no difference.
An Ubuntu 7.04 Feisty client workstation is happy - it has the same kerberos
client
config and its ksu (from krb5-user 1.4.4-5ubuntu3.1) works fine, so I do
not believe the KDC principals database is screwed.
"Normal" kerberos logins (console, ssh, apache all via PAM) work fine.
Being root, then doing a ksu root -n ts/root works
Yes, ksu is suid root
Entering a duff password causes ksu to fail in the expected way.
kinit -f ts/root works, then ksu continues to fail in the way stated.
I have cleared all cache files, kdestroy-ed and tried again - no change.
======
Here are the relevant lines from my logfile:
======
2007/07/21 16:12:41 info auth 127.0.0.1 mothra krb5kdc[7428]:
AS_REQ (7 etypes {18 17 16 23 1 3 2})
81.2.78.41: ISSUE: authtime 1185030761, etypes {rep=16 tkt=16 ses=16},
ts/[EMAIL PROTECTED] for
krbtgt/[EMAIL PROTECTED]
2007/07/21 16:12:41 info auth 127.0.0.1 mothra krb5kdc[7428]:
TGS_REQ (7 etypes {18 17 16 23 1 3 2})
81.2.78.41: ISSUE: authtime 1185030761, etypes {rep=16 tkt=16 ses=16},
ts/[EMAIL PROTECTED] for
host/[EMAIL PROTECTED]
2007/07/21 16:12:41 warning auth 127.0.0.1 mothra ksu[9292]:
\'ksu root\' authentication failed for ts on
/dev/pts/4
======
So I suspect one of three possibilities:
1) Kerberos 1.6 upstream broke something
2) Debian patched and broke something
3) I have a subtle config or pricipal database problem that has just been
exposed
by upgrading to 1.6
I don't really believe 1 or 2 are very likely, but I have been running kerberos
commercially for a few years, and whilst I am no kerberos uber-meister, I cannot
find anything yet to justify 3 either.
If you have any ideas I am happy to test them.
Cheers
Tim
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages krb5-user depends on:
ii krb5-config 1.10 Configuration files for Kerberos V
ii libc6 2.6-2 GNU C Library: Shared libraries
ii libcomerr2 1.39-1 common error description library
ii libkadm55 1.6.dfsg.1-6 MIT Kerberos administration runtim
ii libkeyutils1 1.2-3 Linux Key Management Utilities (li
ii libkrb53 1.6.dfsg.1-6 MIT Kerberos runtime libraries
ii libss2 1.39-1 command-line interface parsing lib
krb5-user recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
