Bug#764669: kinit without username, behaviour changes betweek wheezy and jessie
Hi Sam, On Fr 10 Okt 2014 13:39:43 CEST, Sam Hartman wrote: I'm sort of horrified if krb5-auth-dialogue actually calls kinit rather than using APIs directly. But that's not really related to this bug. Actually, I have not looked at the code of krb5-auth-dialogue, but it changed its behaviour together with kinit. So I assumed, both issues are related. just kinit seems to work fine for me with 1.12.1+dfsg-9 so I'd like more detail on what goes wrong. mike@sid:~$ kinit kinit: Client '@MY-REALM' not found in Kerberos database while getting initial credentials mike@sid:~$ Previously, simply calling kinit (without username) would give a valid ticket. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpRpBOMZPaFD.pgp Description: Digitale PGP-Signatur
Bug#764669: kinit without username, behaviour changes betweek wheezy and jessie
Hi Russ, On Fr 10 Okt 2014 18:30:16 CEST, Russ Allbery wrote: Mike Gabriel mike.gabr...@das-netzwerkteam.de writes: the behaviour of kinit changed after an upgrade from Debian wheezy to Debian jessie (around 2014-10-10). Previously it was possible to simply say $ kinit on the command line and kinit then would assume my current user as username for obtaining a ticket for the default Kerberos realm. Since my upgrade, I have to always specify the Kerberos username when executing kinit: $ kinit mike Do you have an existing, expired ticket cache for some other principal? I believe kinit defaults to the default principal in your current ticket cache if you have one, with a higher priority than the fallback to local username in the local realm. Nope, for ages on that machine in question, I have used kinit for my login only. Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpYafOV_GU8n.pgp Description: Digitale PGP-Signatur
Bug#764669: kinit without username, behaviour changes betweek wheezy and jessie
Mike Gabriel mike.gabr...@das-netzwerkteam.de writes: mike@sid:~$ kinit kinit: Client '@MY-REALM' not found in Kerberos database while getting initial credentials mike@sid:~$ Ah, hm, that's a different sort of problem. That indicates that it's mapping your username to the null principal for some reason. Have there been any changes to your krb5.conf file? I'm not sure what would create that behavior other than a bad aname_to_localname mapping. Maybe some sort of nsswitch problem that prevents it from figuring out your username? But if that's the case, I would expect more systematic problems on the system. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764669: kinit without username, behaviour changes betweek wheezy and jessie
I'm sort of horrified if krb5-auth-dialogue actually calls kinit rather than using APIs directly. But that's not really related to this bug. just kinit seems to work fine for me with 1.12.1+dfsg-9 so I'd like more detail on what goes wrong. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764669: kinit without username, behaviour changes betweek wheezy and jessie
Mike Gabriel mike.gabr...@das-netzwerkteam.de writes: the behaviour of kinit changed after an upgrade from Debian wheezy to Debian jessie (around 2014-10-10). Previously it was possible to simply say $ kinit on the command line and kinit then would assume my current user as username for obtaining a ticket for the default Kerberos realm. Since my upgrade, I have to always specify the Kerberos username when executing kinit: $ kinit mike Do you have an existing, expired ticket cache for some other principal? I believe kinit defaults to the default principal in your current ticket cache if you have one, with a higher priority than the fallback to local username in the local realm. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764669: kinit without username, behaviour changes betweek wheezy and jessie
Package: krb5-user Version: 1.12.1+dfsg-10 Severity: normal Dear maintainer, the behaviour of kinit changed after an upgrade from Debian wheezy to Debian jessie (around 2014-10-10). Previously it was possible to simply say $ kinit on the command line and kinit then would assume my current user as username for obtaining a ticket for the default Kerberos realm. Since my upgrade, I have to always specify the Kerberos username when executing kinit: $ kinit mike This alone is only a bit inconvenient. However, this change of behaviour breaks the krb5-auth-dialog applet. Maybe you have an idea why this change occurred and maybe this bug needs to be reassigned to krb5-auth-dialog and maybe other tools that depend on kinit. Greets, Mike -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages krb5-user depends on: ii krb5-config2.3 ii libc6 2.19-11 ii libcomerr2 1.42.12-1 ii libgssapi-krb5-2 1.12.1+dfsg-10 ii libgssrpc4 1.12.1+dfsg-10 ii libk5crypto3 1.12.1+dfsg-10 ii libkadm5clnt-mit9 1.12.1+dfsg-10 ii libkadm5srv-mit9 1.12.1+dfsg-10 ii libkdb5-7 1.12.1+dfsg-10 ii libkeyutils1 1.5.9-5 ii libkrb5-3 1.12.1+dfsg-10 ii libkrb5support01.12.1+dfsg-10 ii libss2 1.42.12-1 krb5-user recommends no packages. krb5-user suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764669: kinit without username, behaviour changes betweek wheezy and jessie
On Thu, 9 Oct 2014, Mike Gabriel wrote: the behaviour of kinit changed after an upgrade from Debian wheezy to Debian jessie (around 2014-10-10). Previously it was possible to simply say $ kinit on the command line and kinit then would assume my current user as username for obtaining a ticket for the default Kerberos realm. Since my upgrade, I have to always specify the Kerberos username when executing kinit: $ kinit mike This alone is only a bit inconvenient. However, this change of behaviour breaks the krb5-auth-dialog applet. Maybe you have an idea why this change occurred and maybe this bug needs to be reassigned to krb5-auth-dialog and maybe other tools that depend on kinit. So, what is the observed behavior of just 'kinit' in the failing case? I.e., how does it fail? The selection of what client principal to use has some number of fallbacks, if I remember correctly. -Ben Kaduk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org