[Touch-packages] [Bug 1988144] Re: klist not showing tgt after reboot
Hello Sergio, do you have conceived an opinion on this issue? Thanks, Hajo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1988144 Title: klist not showing tgt after reboot Status in krb5 package in Ubuntu: Incomplete Bug description: Hello, iam not sure if this is a bug, but iam noticed a different behaviour of kinit/klist between Ubuntu 18.04 and 22.04 I already talked to sam hartman who is maintainer of krb5 packages at debian and he told that basically there is no difference between different version of kinit/klist and one should dig in Ubuntu environment. Let me decribe the notice: We use kinit/klist/krb5 keytab as base for sssd and ssh access controlled by AD. In Ubuntu 18.04 LTS i could do: "kinit myprincipal" and created a valid tgt. This tgt was stable and survived a reboot which can be viewed by "klist". I log in as unprivileged user, doing "sudo -i" and see: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_27465975_uqBiyq File /tmp/krb5cc_27465975_uqBiyq is existent and owned by my unprivileged username and group domainusers. Ubuntu 18.04 LTS is using 1.16-2ubuntu0.2 of krb5-user. i have to say, that first login as unprivileged user is done by using ssh-keypair, so no sssd is involved. But by using "sudo -i" sssd is used and worked like expected. Now we switched to Ubuntu 22.04 LTS, Version of krb5-user is 1.19.2-2 Doing kinit myprincipal on 22.04 leads to: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_0 File /tmp/krb5cc_0 is owned by root:root After reboot i can still login successful as unprivileged user make "sudo -i" and klist says: myhost: # klist klist: No credentials cache found (filename: /tmp/krb5cc_0 File /tmp/krb5cc_0 is gone (deleted from unknown), but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivileged username and group is domainusers. is this expected? It seems that newer klist always wants to use the default name /tmp/krb5cc_0. It creates tgt with this name and tries to read this filename. but after reboot file is recreated with different name and default klist command fails. First login as unprivilged user was done with ssh-keypair without sssd, but "sudo -i" uses sssd agin. Whole thing only works like in 18.04 if you dont use ssh-keypairs and do all logins by hand with manually login, so sssd is forced to use in every step. What do you think? Is this a bug or wrong use? Behaviour of 18.04 was absolutely satisfying. Thanks, Hans To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988144] Re: klist not showing tgt after reboot
sssd.conf ** Attachment added: "sssd.conf" https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+attachment/5612838/+files/sssd.conf -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1988144 Title: klist not showing tgt after reboot Status in krb5 package in Ubuntu: Incomplete Bug description: Hello, iam not sure if this is a bug, but iam noticed a different behaviour of kinit/klist between Ubuntu 18.04 and 22.04 I already talked to sam hartman who is maintainer of krb5 packages at debian and he told that basically there is no difference between different version of kinit/klist and one should dig in Ubuntu environment. Let me decribe the notice: We use kinit/klist/krb5 keytab as base for sssd and ssh access controlled by AD. In Ubuntu 18.04 LTS i could do: "kinit myprincipal" and created a valid tgt. This tgt was stable and survived a reboot which can be viewed by "klist". I log in as unprivileged user, doing "sudo -i" and see: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_27465975_uqBiyq File /tmp/krb5cc_27465975_uqBiyq is existent and owned by my unprivileged username and group domainusers. Ubuntu 18.04 LTS is using 1.16-2ubuntu0.2 of krb5-user. i have to say, that first login as unprivileged user is done by using ssh-keypair, so no sssd is involved. But by using "sudo -i" sssd is used and worked like expected. Now we switched to Ubuntu 22.04 LTS, Version of krb5-user is 1.19.2-2 Doing kinit myprincipal on 22.04 leads to: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_0 File /tmp/krb5cc_0 is owned by root:root After reboot i can still login successful as unprivileged user make "sudo -i" and klist says: myhost: # klist klist: No credentials cache found (filename: /tmp/krb5cc_0 File /tmp/krb5cc_0 is gone (deleted from unknown), but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivileged username and group is domainusers. is this expected? It seems that newer klist always wants to use the default name /tmp/krb5cc_0. It creates tgt with this name and tries to read this filename. but after reboot file is recreated with different name and default klist command fails. First login as unprivilged user was done with ssh-keypair without sssd, but "sudo -i" uses sssd agin. Whole thing only works like in 18.04 if you dont use ssh-keypairs and do all logins by hand with manually login, so sssd is forced to use in every step. What do you think? Is this a bug or wrong use? Behaviour of 18.04 was absolutely satisfying. Thanks, Hans To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988144] Re: klist not showing tgt after reboot
realmd.conf ** Attachment added: "realmd.conf" https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+attachment/5612837/+files/realmd.conf -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1988144 Title: klist not showing tgt after reboot Status in krb5 package in Ubuntu: Incomplete Bug description: Hello, iam not sure if this is a bug, but iam noticed a different behaviour of kinit/klist between Ubuntu 18.04 and 22.04 I already talked to sam hartman who is maintainer of krb5 packages at debian and he told that basically there is no difference between different version of kinit/klist and one should dig in Ubuntu environment. Let me decribe the notice: We use kinit/klist/krb5 keytab as base for sssd and ssh access controlled by AD. In Ubuntu 18.04 LTS i could do: "kinit myprincipal" and created a valid tgt. This tgt was stable and survived a reboot which can be viewed by "klist". I log in as unprivileged user, doing "sudo -i" and see: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_27465975_uqBiyq File /tmp/krb5cc_27465975_uqBiyq is existent and owned by my unprivileged username and group domainusers. Ubuntu 18.04 LTS is using 1.16-2ubuntu0.2 of krb5-user. i have to say, that first login as unprivileged user is done by using ssh-keypair, so no sssd is involved. But by using "sudo -i" sssd is used and worked like expected. Now we switched to Ubuntu 22.04 LTS, Version of krb5-user is 1.19.2-2 Doing kinit myprincipal on 22.04 leads to: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_0 File /tmp/krb5cc_0 is owned by root:root After reboot i can still login successful as unprivileged user make "sudo -i" and klist says: myhost: # klist klist: No credentials cache found (filename: /tmp/krb5cc_0 File /tmp/krb5cc_0 is gone (deleted from unknown), but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivileged username and group is domainusers. is this expected? It seems that newer klist always wants to use the default name /tmp/krb5cc_0. It creates tgt with this name and tries to read this filename. but after reboot file is recreated with different name and default klist command fails. First login as unprivilged user was done with ssh-keypair without sssd, but "sudo -i" uses sssd agin. Whole thing only works like in 18.04 if you dont use ssh-keypairs and do all logins by hand with manually login, so sssd is forced to use in every step. What do you think? Is this a bug or wrong use? Behaviour of 18.04 was absolutely satisfying. Thanks, Hans To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988144] Re: klist not showing tgt after reboot
Hello Sergio, thanks for your help. I can do that. I will explain a step by step procedure for my setup. Also i attach a file with anonymised krb5.conf, realmd.conf and sssd.conf We have a ActiveDirectory Domain which is controlled by multiple Domaincontrollers. We attach some of our Linuxserver to AD to control by AD-Group who can access and sudo on this linuxmachines. In my conf files the domain is simple called domain.de|DOMAIN.DE - starting point is a fresh installed Ubuntu 18.04 or 22.04 LTS with a lokal admin. this lokal admin is used to initiate the AD Connection. Basically i followed this tutorial: https://schroeffu.ch/2019/09/linux- active-directory-ldap-ssh-login-mit-sssd-und-realmd/ - Installation: apt install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli - please see attached krb5.conf, realmd.conf - now i get a tgt with kinit using my AD-Domainadmincredentials kinit myusern...@domain.de - joining Domain realm --verbose join DOMAIN.DE -U myusern...@domain.de - at this point we are part of domain and after domainsync every user in group LinuxAdmins can login by ssh. making sudo is allowed by a config in /etc/sudoers.d/ which contains %LinuxAdmins ALL=(ALL:ALL) ALL Now i use a unprivileged domainuser which is part of AD-group LinuxAdmins For fast login i use a key-pair for this user to login as unprivileged user. So i log in by ssh-keys and do a "sudo -i" to stay permanent root. Now sssd works and checks my AD-Data/Passwort. iam allowed to do sudo and now iam root user. klist now shows a valid tgt and klist -ekt shows valid KVNO, Timestamp and Principal Now i do the same on Ubuntu 22, all steps/configs identical except a line in sssd.conf (see comment in first section) because services use other startup. On ubuntu 22 i use my unprivilged user to login by ssh-keys then doing "sudo -i" and klist says: klist: No credentials cache found (filename: /tmp/krb5cc_0) a file /tmp/krb5cc_0 is not existent but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivilged username but not used by klist. May be the problem is in the sudo environment. In Ubuntu 22 i see a valid tgt by klist only if i do every login by hand and dont use a ssh key. but this was working in ubuntu 18 and i liked the way, because i hop on a lot of servers every day and first login by ssh-key is very comfy. May be this is only a small bug in this particular case, but i want to make sure that my services still work after some time, because the existing keytab can used for other purposes like authentication by apache-webserver too and i dont want them to be harmed by this issue. Thanks for your help, Hans ** Attachment added: "krb5.conf" https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+attachment/5612836/+files/krb5.conf -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1988144 Title: klist not showing tgt after reboot Status in krb5 package in Ubuntu: Incomplete Bug description: Hello, iam not sure if this is a bug, but iam noticed a different behaviour of kinit/klist between Ubuntu 18.04 and 22.04 I already talked to sam hartman who is maintainer of krb5 packages at debian and he told that basically there is no difference between different version of kinit/klist and one should dig in Ubuntu environment. Let me decribe the notice: We use kinit/klist/krb5 keytab as base for sssd and ssh access controlled by AD. In Ubuntu 18.04 LTS i could do: "kinit myprincipal" and created a valid tgt. This tgt was stable and survived a reboot which can be viewed by "klist". I log in as unprivileged user, doing "sudo -i" and see: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_27465975_uqBiyq File /tmp/krb5cc_27465975_uqBiyq is existent and owned by my unprivileged username and group domainusers. Ubuntu 18.04 LTS is using 1.16-2ubuntu0.2 of krb5-user. i have to say, that first login as unprivileged user is done by using ssh-keypair, so no sssd is involved. But by using "sudo -i" sssd is used and worked like expected. Now we switched to Ubuntu 22.04 LTS, Version of krb5-user is 1.19.2-2 Doing kinit myprincipal on 22.04 leads to: myhost: # klist Ticket cache: FILE:/tmp/krb5cc_0 File /tmp/krb5cc_0 is owned by root:root After reboot i can still login successful as unprivileged user make "sudo -i" and klist says: myhost: # klist klist: No credentials cache found (filename: /tmp/krb5cc_0 File /tmp/krb5cc_0 is gone (deleted from unknown), but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivileged username and group is domainusers. is this expected? It seems that newer klist always wants to use the default name /tmp/krb5cc_0. It creates tgt with this name and tries to read this filename. but after reboot file is recreated with different
[Touch-packages] [Bug 1807722] Re: ImageMagick without rsvg Support
p.s. in changelog of package is no hint why rsvg support was dropped, so i had to ask. rsvg is very useful, please reenable if possible. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1807722 Title: ImageMagick without rsvg Support Status in apport package in Ubuntu: New Status in imagemagick package in Ubuntu: New Bug description: Hello, imagemagick 8:6.9.7.4+dfsg-16ubuntu6.4 which is bundled with Ubuntu 18.04.1 LTS/bionic is explicitely compiled with --without-rsvg This disables rsvg support and forces fallback to msvg renderer which is rudimentary functionrange. Why this? In Ubuntu 16.04.5 LTS/xenial rsvg support is still active. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1807722/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1807722] [NEW] ImageMagick without rsvg Support
Public bug reported: Hello, imagemagick 8:6.9.7.4+dfsg-16ubuntu6.4 which is bundled with Ubuntu 18.04.1 LTS/bionic is explicitely compiled with --without-rsvg This disables rsvg support and forces fallback to msvg renderer which is rudimentary functionrange. Why this? In Ubuntu 16.04.5 LTS/xenial rsvg support is still active. ** Affects: apport (Ubuntu) Importance: Undecided Status: New ** Affects: imagemagick (Ubuntu) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1807722 Title: ImageMagick without rsvg Support Status in apport package in Ubuntu: New Status in imagemagick package in Ubuntu: New Bug description: Hello, imagemagick 8:6.9.7.4+dfsg-16ubuntu6.4 which is bundled with Ubuntu 18.04.1 LTS/bionic is explicitely compiled with --without-rsvg This disables rsvg support and forces fallback to msvg renderer which is rudimentary functionrange. Why this? In Ubuntu 16.04.5 LTS/xenial rsvg support is still active. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1807722/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
Hello, we also see hundreds lines like this in xenial. ii libsasl2-modules:amd642.1.26.dfsg1-14build1 amd64 File /etc/logcheck/ignore.d.server/libsasl2-modules with content suggested by hackel is already existent in xenial, it is part of package libsasl2-modules but seems not to work. Hajo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" Status in Cyrus-sasl2: New Status in cyrus-sasl2 package in Ubuntu: Fix Released Status in cyrus-sasl2 source package in Trusty: Triaged Status in cyrus-sasl2 source package in Xenial: Incomplete Status in cyrus-sasl2 source package in Yakkety: Fix Released Status in cyrus-sasl2 package in Debian: Fix Released Bug description: I recently updated the libsasl2-modules to 2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric. That triggered the bug also described in Debian here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932 The annoying message is logged in auth.log. In my case, it is associated with svnserve: svnserve: DIGEST-MD5 common mech free I'm not exactly sure what action triggers the message, but I can investigate more if required. $ lsb_release -rd Description:Ubuntu oneiric (development branch) Release:11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
