and operating system
information with your bug report. Please note that bug reports are
public; if you are reporting a security vulnerability, send mail to
krbcore-secur...@mit.edu instead, ideally using PGP encryption.
EOF
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
You
Reassigning to krb5, as:
Feb 8 15:38:09 vpn-gw-ausfall openvpn[9031]: pam_krb5(openvpn-
krb5:auth): (user hildeb) credential verification failed: KDC has no
support for encryption type
is an error message from the underlying Kerberos library that libpam-
krb5 can't do anything about.
This should be harmless, just noisy, but will be fixed in the next
release. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in Ubuntu.
https://bugs.launchpad.net/bugs/1098294
Title:
Use of uninitialized
Oh, wow, great job with the test case. It wouldn't have occurred to me
to just do that. (And yes, you have to use the Git version because I've
been adding a ton of new tests compared to the latest full release.)
--
You received this bug notification because you are a member of Ubuntu
Server
I have a test case, but I'm not sure you'll particularly enjoy it, since
it isn't in a neatly isolated form. But if you:
git clone git://git.eyrie.org/kerberos/pam-krb5.git
cd pam-krb5
./autogen
./configure
and then add the username and password of an account in a test Kerberos
This bug was introduced in MIT Kerberos 1.10. After a failing
authentication with preauth required in a particular Kerberos context,
all subsequent authentications in that context that require preauth will
fail. Upstream has fixed this with commit 25822.
This is a fairly serious issue, blocking
Actually, now that I look more at this, this may be an unrelated
problem. The problem I encountered was reported upstream as a password
change problem, but this may be a slightly different issue. I'll open
another bug about the failed second authentication problem.
--
You received this bug
Public bug reported:
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in
the tracking of preauth mechanisms such that, if an authentication fails
after preauth was requested, all subsequent preauth-required
authentications in the same Kerberos context will also fail.
This
** Bug watch added: Debian Bug tracker #670457
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457
** Also affects: krb5 (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457
Importance: Unknown
Status: Unknown
--
You received this bug notification because you
** Summary changed:
- Can't change kerberos password, pam-krb5 try_first_pass also fails
+ Can't change kerberos password
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/715765
Title:
Steve Langasek steve.langa...@canonical.com writes:
Setting this back to 'triaged', which is the more-better bug state in
LP.
Thanks. I tried to do that but it didn't let me (probably not enough
access bits).
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle
This analysis looks right to me, and I think may run deeper than just
this one module. If every account module should be additional and not
primary, I think that points to an error in the data model or
interpretation of the data model, rather than in individual PAM
configurations. And viewing
Ah, in fact, I see comment #20 mentioned above is from Steve.
Steve, when would you ever want to have an account type of Primary given
those semantics? Shouldn't Primary just be treated the same as
Additional for the account stack?
--
You received this bug notification because you are a member
initializing
Kerberos code
[realms]
MYGROUP.COM = {
kdc = kerberos.mygroup.com.:88
I'm not sure if this is your problem, but the trailing period here looks
suspicious. Try removing the period just before the colon.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle
?
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/913166
Title:
kprop will not find slave-kdc
To manage
/kerbe...@example.net, which
fails.
Changing the system hostname of the master to kerberos.example.net will
probably fix this problem.
kprop should really gain an additional command-line option to specify the
client principal to authenticate as.
--
Russ Allbery (r...@debian.org) http
They're listed in the krb5-admin info pages included in krb5-doc under
Configuration Files.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu
reference manual; they don't
have very much useful structure.)
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs
The bug is trivially reproducible given the instructions given by the
reporter. I don't see any need for them to run apport-collect to gather
more data.
** Changed in: krb5 (Ubuntu)
Status: Incomplete = Confirmed
--
You received this bug notification because you are a member of Ubuntu
and repeated attempts to contact
the LDAP server.
Ideally, they should both be robust against the other not being up yet.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which
init script orderings break different things for
different people. What really needs to happen is that one or the other
(or preferrably both) services need to be robust against the other service
not yet being initialized.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org
on single machines, in which case you may have an LDAP replica and a KDC
on the same host. The LDAP replica then needs to do a GSSAPI
authentication to the master for replication, which requires access to the
KDC.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Init
This looks to me more like something that's seriously wrong with your
system rather than a problem with the package:
Setting up libkadm5clnt6 (1.7dfsg~beta3-1ubuntu0.6) ...
dpkg (subprocess): unable to execute installed post-installation script:
Exec format error
The postinst script for
keytab. This all happened back in 2007 for us.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you
consistent is if you have a web
service that uses DNS-based load-balancing. That's where we ran into that
issue. The public name is a CNAME that points to the least-loaded host
(which is dynamically discovered by the DNS server).
--
Russ Allbery (r...@debian.org) http
or forwardable tickets are more.)
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which
that to Heimdal, since it would be rather
convenient at times.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you
with this setting,
surely the same mechanism could be used to override the PAM configuration
as well.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug
., and log on to a system account.
Fixing Debian Bug#330882 (and in general not creating real shells for
system users) would remove a lot of my concern.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid
of Kerberos-authenticated and non-Kerberos users,
distinguish by UID, and mind the silent Kerberos authentication failure
when handling the UNIX login.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid
.
At the moment, therefore, I think it's unlikely there will be any changes
for lucid if they're waiting on me to initiate the work.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs
accounts
have valid shells by default.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server
the defaults, I believe changes to the
defaults are just automatically applied (although Steve would know better
than I). And krb5.conf normally isn't updated once written and I don't
think it could be updated with this particular type of change.
--
Russ Allbery (r...@debian.org
The problem is in passing use_authtok to pam_krb5. Comparatively,
try_first_pass/use_first_pass/nothing at least allows the Current
Kerberos password: prompt to come up.
This was fixed in 4.0-1. The fix would need to be backported to karmic.
--
Russ Allbery (r...@debian.org) http
.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
gssd regression, Program lacks support for encryption type
https://bugs.launchpad.net/bugs/512110
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu
The best theory that I have about this bug is that it's related to some
sort of failure in the NSS lookups for the current user, resulting in
the ticket cache permissions not being changed, but I can't entirely
reconcile this with the debugging messages you're seeing.
I think progress on this bug
logged by the PAM module before returning to the process.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
segfault
https://bugs.launchpad.net/bugs/476069
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5
be a file with a name like
/tmp/krb5cc_1000_DBzGt12076 representing the user's ticket cache.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
segfault
https://bugs.launchpad.net/bugs/476069
You received this bug notification because you are a member of Ubuntu
mode 600?
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
segfault
https://bugs.launchpad.net/bugs/476069
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
--
Ubuntu-server-bugs mailing list
and register with doc-base
krb5-doc no longer has a postinst to call install-docs because doc-base
now uses triggers to handle that. This is probably just that Ubuntu's
Lintian is a bit out of date.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Missing
, login can time out and leave you in a situation where you can't
log in as root. Maybe it would make sense to leave minimum_uid for
/etc/krb5.conf but set ignore_root in the profile to eliminate the worst
of the problem of not having minimum_uid set.
--
Russ Allbery (r...@debian.org
Yeah, that sounds like a bug in the NFS userspace portions to me.
The way that I understand this is supposed to work is that the NFS
Kerberos support is divided into two components: a userspace daemon that
finds the user's ticket cache, grabs credentials where necessary, and
loads them into the
whatever it
happens to find.
If autofs happens later, after the PAM authentication has successfully
completed, this temporary ticket cache of course no longer exists and
therefore the mount cannot be done.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
Kerberos, NFS4
I'm not sure what package this is a problem with, but I can say with
some certainty that it isn't kerberos-configs. This package only
provides the krb5.conf configuration to find the KDCs and do other
library initialization.
This sounds like a bug in the NFS v4 userspace processes, if I
realm?
I suspect this is the same as #296719, which was fixed in 1.22.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
suarez
https://bugs.launchpad.net/bugs/355151
You received this bug notification because you are a member of Ubuntu
Server Team, which
on, but
probably at the dpkg layer rather than at the level of the krb5 package.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
package libkrb5-dev 1.6.dfsg.4~beta1-3 failed to install/upgrade: failed to
delete `/usr/lib/libkrb5support.so.dpkg-tmp': Read-only
1.22 has been synced to jaunty, so following the process for proposing
an intrepid update:
This bug causes users who do not have a valid local hostname to fail to
install krb5-config. krb5-config is a dependency of many other packages
and recommendation for all Kerberos software packages. The
bad it will
be. (kpasswd is likely to be the hardest problem, since it's UDP, but you
may not care about it.)
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
kadmind will not listen on IPv6 ports
https://bugs.launchpad.net/bugs/309339
You received this bug
sockaddr_in rather than
sockaddr_in6, used to bind to the kerberos-adm port, and the code that
uses it is:
I believe that's correct and upstream does not (yet, at least) support the
kadmin protocol over IPv6.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
--
kadmind
This is fixed in the 1.6.dfsg.3-1 Debian release:
* If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm
so that the kdc.conf will at least be syntactically valid (but will
still require editing). (Closes: #474741)
--
Improper format of Kerberos configuration file
I'm not sure when it changed, but the current code matches the
documentation. noaddresses is the correct option, and the default is
true.
--
Option no-addresses spelled wrong in man krb.conf
(/usr/share/man/man5/krb5.conf.5.gz)
https://bugs.launchpad.net/bugs/72599
You received this bug
The package is behaving as intended from my perspective. I don't think
it's sane to automatically create a new realm on package installation.
You may want to do something else, like initialize from an existing
realm or create a realm that doesn't match the local realm for testing.
In fact, given
This is the intended behavior of Kerberos. So far as I know, it has
always worked this way. I have never seen logins succeed if you have an
empty .k5login file. I suspect something else was going on when you
thought this used to work (such as having the .k5login file not be
readable for some
53 matches
Mail list logo
