[Bug 571572] [NEW] krb5 prefers the reverse pointer no matter what for locating service tickets.
Public bug reported:
I'm trying to upgrade workstations to lucid an fails to access our
kerberos enabled websites. It reveals that the krb5 implementation in
lucid now tries to resolve the "reverse dns" and aquire a tikket for
/ instead of /.
The latter behavior is what the MS environment does and is what Ubuntu
has done (i think) until Lucid. A diff of the sourcecode from hardy
revealse that we now hint the getaddrinfo with AI_CANONNAME which it
didnt before.
Applying below patch enables the old behaviour.
--- krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c.orig 2010-04-29
09:04:11.401567914 +0200
+++ krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c 2010-04-29 09:04:21.762191834
+0200
@@ -112,7 +112,7 @@
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
-hints.ai_flags = AI_CANONNAME;
+//hints.ai_flags = AI_CANONNAME;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
** Affects: krb5 (Ubuntu)
Importance: Undecided
Status: New
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
Since the problem is in the clientside kerberos libraries it affects all kerberos enabled stuff. -- krb5 prefers the reverse pointer no matter what for locating service tickets. https://bugs.launchpad.net/bugs/571572 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
Tried.. had that before.. but doesn't work any more. (and isn't documented in man krb5.conf either). -- krb5 prefers the reverse pointer no matter what for locating service tickets. https://bugs.launchpad.net/bugs/571572 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
Hi Sam. I agree.. the current behaviors seems to be excactly what is in the code and in the documentation. Never the less it is a change from earlier versions of Ubuntu and a change that makes Ubuntu + Firefox work in a different way than MS Windows + MSIE (negoiating different tickets), thus breaking Single Signon in typical Kerberos enabled environments.. our is a corporate one with Active Directory as Kerbereos and both MS IIS and Ubuntu Apache + mod_auth_kerb on the serverside. Used to work.. lucid breaks it.. As far as I can tell, the change snug in between MIT kerberos 1.6 and 1.8 . Jesper -- krb5 prefers the reverse pointer no matter what for locating service tickets. https://bugs.launchpad.net/bugs/571572 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
Hi Russ. I cannot say anything about what other are experiencing.. but in our setup we haven't put the final hostname in the keytab (and neither did the guys that only cared about MSIE+IIS). And all Ubuntu releases (from around Dapper) and up and until Lucid has worked for us. So seen from an Ubuntu perspective, this is a regression.. wether or not it is desired to fix it I dont know? But I guess until Windows changes behaviour (thus all the configuration of the Windows servers), I'll have to maintain this patch locally for our installation. An it is a fair assumption to say that our setup is fairly "standard". Would a patch that makes the behaviour configurable be acceptable? Jesper -- krb5 prefers the reverse pointer no matter what for locating service tickets. https://bugs.launchpad.net/bugs/571572 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
I agree that it is a partial workaround.. it fixes the Ubuntu/Firefox + apache combination. But without changing the same thing for all the IIS servers it would still render my Ubuntu/Firefox + IIS SSO broken. Since I only administrate the Linux stuff, and the "other side" genereally are very reluctant to do change to "only fit linux", then patching it locally is much more doable in my environment. Anyway, now the bug is at least here to document it for other people hitting the same wall. Jesper -- krb5 prefers the reverse pointer no matter what for locating service tickets. https://bugs.launchpad.net/bugs/571572 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 28380] Re: Autofs fails to update /net with new shares from server
It is really dissapointing .. but there has been posted an awfull lot of "automated" crap in this bug, by people who either: * Didnt read the initial bug or * Did try out the steps to reproduce Even though it can be done on any installation, just going ahead using the five points above. The problem is (AFAIK) reproducible on any version of Ubuntu going from, dapper and up til today, since you still ship autofs4 and not autofs5 as default. Autofs5 has been released for two years by now. Sensible answers to this bug would have been stuff like: * We dont care about autofs, even though we ship it in main * We cannot reproduce the bug using above steps. (No-one has even claimed that they have tried so far). .. and a lot of other constructive feedback. .. I just tried on Karmic and the problem is still there, allthough it might have been slightly better, since the problem is only occouring if someone actively uses the mountpoint. .. once again (karmic test). $ sudo apt-get install nfs-kernel-server autofs $ edit /etc/auto.master and enable /net $ sudo /etc/init.d/autofs restart $ mkdir /tmp/test1 /tmp/test2 $ edit /etc/exports and insert "/tmp/test1 *(ro,no_subtree_check)" $ sudo exportfs -a $ showmount -e localhost Export list for localhost: /tmp/test1 * $ cd /net/localhost/tmp; ls test1 $ edit /etc/exports and insert "/tmp/test2 *(ro,no_subtree_check)" $ sudo exportfs -a $ sudo /etc/init.d/autofs reload Reloading automounter: checking for changes ... Reloading automounter map for: /net $ ls test1 $ # Here we should have seen test2 .. $ ls /net/localhost/tmp/ test1 $ # Here it should have been again. The fix is to ship autofs5 .. not 4.. 4 years, 10 semi-auto generated messages from people systems.. and the fix is even posted in the comments and still no actions. Jesper -- Autofs fails to update /net with new shares from server https://bugs.launchpad.net/bugs/28380 You received this bug notification because you are a member of Ubuntu Server Team, which is a direct subscriber. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 28380] Re: Autofs fails to update /net with new shares from server
Hi Dave Thank you for finally attending to the bug. Well since the problem now persists in all "official releases" of Ubuntu as of now, allthough fixed in the current development branch, dont you think it is a bit premature to close the bug. Even as "invalid" since fixed is what you actually are doing. As far as I know autofs is a part of "main" in all distributions done. Jesper ** Changed in: autofs (Ubuntu) Status: Incomplete => Confirmed -- Autofs fails to update /net with new shares from server https://bugs.launchpad.net/bugs/28380 You received this bug notification because you are a member of Ubuntu Server Team, which is a direct subscriber. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 214476] Re: open-iscsi fails to install
But ubuntu4 hasn't been uploaded to hardy.. so the bug is still present in hardy (just hit it) Jesper -- open-iscsi fails to install https://bugs.launchpad.net/bugs/214476 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to open-iscsi in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 214476] Re: open-iscsi fails to install
But ubuntu4 hasn't been uploaded to hardy.. so the bug is still present in hardy (just hit it) Jesper -- open-iscsi fails to install https://bugs.launchpad.net/bugs/214476 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to open-iscsi in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 227848] [NEW] boot order wrong for iscsi
Public bug reported: Binary package hint: open-iscsi The boot order is still wrong in some cases for iscsi. iscsi probably waits for networking to start (due to upstart and dependencies) but it does not wait long enough, so "link" are available before. Trace from bootup: [EMAIL PROTECTED]:~# dmesg | perl -ane 'print if $_ =~ /(eth|bond|iscsi)/i; ' [ 145.733504] e1000: eth0: e1000_probe: Intel(R) PRO/1000 Network Connection [ 146.052622] e1000: eth1: e1000_probe: Intel(R) PRO/1000 Network Connection [ 146.372001] e1000: eth2: e1000_probe: Intel(R) PRO/1000 Network Connection [ 146.701361] e1000: eth3: e1000_probe: Intel(R) PRO/1000 Network Connection [ 154.506735] Driver 'sd' needs updating - please use bus_type methods [ 154.506382] Driver 'sr' needs updating - please use bus_type methods [ 163.088171] eth4: NIU Ethernet 00:14:4f:bb:23:a8 [ 163.088176] eth4: Port type[XMAC] mode[10G:FIBER] XCVR[XPCS] phy[xgf] [ 164.305607] eth5: NIU Ethernet 00:14:4f:bb:23:a9 [ 164.305611] eth5: Port type[XMAC] mode[10G:FIBER] XCVR[XPCS] phy[xgf] [ 165.450618] Loading iSCSI transport class v2.0-724. [ 165.461844] iscsi: registered transport (tcp) [ 165.505437] iscsi: registered transport (iser) [ 169.129554] Ethernet Channel Bonding Driver: v3.2.3 (December 6, 2007) [ 169.129563] bonding: MII link monitoring set to 100 ms [ 169.297933] e1000: eth0: e1000_watchdog: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX [ 169.321894] bonding: bond0: enslaving eth0 as a backup interface with an up link. [ 169.447624] e1000: eth1: e1000_watchdog: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX [ 169.461239] bonding: bond0: enslaving eth1 as a backup interface with an up link. [ 169.597327] e1000: eth2: e1000_watchdog: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX [ 169.610971] bonding: bond0: enslaving eth2 as a backup interface with an up link. [ 169.747033] e1000: eth3: e1000_watchdog: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX [ 169.760631] bonding: bond0: enslaving eth3 as a backup interface with an up link. [ 170.102554] ADDRCONF(NETDEV_UP): bond0: link is not ready [ 177.340214] ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 188.001939] bond0: no IPv6 routers present So the iscsi is tried to start at 165 and first at 177 the link is ready. ** Affects: open-iscsi (Ubuntu) Importance: Undecided Status: New -- boot order wrong for iscsi https://bugs.launchpad.net/bugs/227848 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to open-iscsi in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291070] [NEW] snmp crash at bootup
Public bug reported: Ubuntu Hardy amd64 with all patches. Sometimes when snmpd starts it dies with: [ 374.996791] snmpd[8897] trap divide error rip:7ffd4be9dc2c rsp:7fff54832550 error:0 Other times it is: [5631127.259786] snmpd[27035]: segfault at 7f5160145000 ip 7f51600ded00 sp 7fff68d3d2d8 error 4 in libnetsnmp.so.15.1.0[7f51600b4000+91000] [5631275.353511] snmpd[28154]: segfault at 7f194383e000 ip 7f19437d7d00 sp 7fff4c435a88 error 4 in libnetsnmp.so.15.1.0[7f19437ad000+91000] [5631416.563465] snmpd[28931]: segfault at 7f5495451000 ip 7f54953ead00 sp 7fff9e048698 error 4 in libnetsnmp.so.15.1.0[7f54953c+91000] [5631501.448326] snmpd[29144]: segfault at 7f2b6fa6b000 ip 7f2b6fa04d00 sp 7fff78662728 error 4 in libnetsnmp.so.15.1.0[7f2b6f9da000+91000] [5631587.790769] snmpd[29770]: segfault at 7f19565b5000 ip 7f195654ed00 sp 7fff5f1ae818 error 4 in libnetsnmp.so.15.1.0[7f1956524000+91000] [5634535.721029] snmpd[5779]: segfault at 7fde3d4c ip 7fde3d459d00 sp 7fff460b7728 error 4 in libnetsnmp.so.15.1.0[7fde3d42f000+91000] [5646356.761825] snmpd[2423]: segfault at 7fdd5769a000 ip 7fdd57633d00 sp 7fff602918f8 error 4 in libnetsnmp.so.15.1.0[7fdd57609000+91000] [5646839.929888] snmpd[3663]: segfault at 7f39ca774000 ip 7f39ca70dd00 sp 7fffd336d718 error 4 in libnetsnmp.so.15.1.0[7f39ca6e3000+91000] [5650509.728074] snmpd[14482]: segfault at 816000 ip 7f550e2acd00 sp 7fff16f0b578 error 4 in libnetsnmp.so.15.1.0[7f550e282000+91000] [5701859.034895] snmpd[18370]: segfault at 814000 ip 7f84ace5cd00 sp 7fffb5abd128 error 4 in libnetsnmp.so.15.1.0[7f84ace32000+91000] [5736108.873400] snmpd[13268]: segfault at 812000 ip 7f25d8918d00 sp 7fffe1577588 error 4 in libnetsnmp.so.15.1.0[7f25d88ee000+91000] Running it a second time may bring it up. ** Affects: net-snmp (Ubuntu) Importance: Undecided Status: New -- snmp crash at bootup https://bugs.launchpad.net/bugs/291070 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
