severity 434105 important
thanks
Tim Southerwood <[EMAIL PROTECTED]> writes:
> Package: krb5-user
> Version: 1.6.dfsg.1-6
> Severity: grave
> Justification: renders package unusable
I'm going to downgrade this for the time being since ksu is working fine
for me and is only one command provided by krb5-user, and it sounds like
the rest of krb5-user is working fine. However, please don't take that to
mean that I'm not interested in solving the problem! I'm just taking the
bug off the RC bug list so that other folks doing Debian-wide QA don't
feel the need to worry about it as yet.
> Today I upgraded krb5-* to 1.6.dfsg.1-6. Now, ksu fails to work reporting:
> "Wrong principal in request while verifying ticket for server"
This error message means that the host keytab (/etc/krb5.keytab) doesn't
contain the key that ksu expects to use to verify your credentials. My
(fairly wild) guess is that the problem is related to referral support,
just because I know that's one of the things that's changed in the current
version of Kerberos. If so, it may indicate that you don't have a
domain_realm mapping set up for your local hostname.
> kadmin works OK on same box, implying that client config and host keytab
> is probably OK.
Client config, yes. Host keytab, no. kadmin doesn't use the host keytab.
> "Normal" kerberos logins (console, ssh, apache all via PAM) work fine.
Which means that krb5_verify_init_creds is probably working, although
depending on your PAM configuration, it may not be trying.
> 2007/07/21 16:12:41 info auth 127.0.0.1 mothra
> krb5kdc[7428]: TGS_REQ (7 etypes {18 17 16 23 1 3 2})
> 81.2.78.41: ISSUE: authtime 1185030761, etypes {rep=16 tkt=16 ses=16},
> ts/[EMAIL PROTECTED] for
> host/[EMAIL PROTECTED]
What are the results of the following commands:
klist -k /etc/krb5.keytab
kvno host/[EMAIL PROTECTED]
Also, is the local hostname mothra.dionic.net in both DNS and in
/etc/hosts, with no other hostnames present? And do you have, in your
/etc/krb5.conf, a line like:
.dionic.net = DIONIC.NET
in the [domain_realms] section?
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
