[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
This bug was fixed in the package krb5 - 1.8.1+dfsg-2ubuntu0.1 --- krb5 (1.8.1+dfsg-2ubuntu0.1) lucid-proposed; urgency=low * src/lib/gssapi/spnego/spnego_mech.c: Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO (LP: #551901) -- Thierry Carrez thierry.car...@ubuntu.com Tue, 01 Jun 2010 14:55:50 +0200 ** Changed in: krb5 (Ubuntu Lucid) Status: Fix Committed = Fix Released -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Tags added: verification-done ** Tags removed: verification-needed -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Accepted krb5 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Branch linked: lp:ubuntu/lucid-proposed/krb5 -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Worked OK for me ! -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
ACK from ubuntu-sru -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Thanks to Thierry Carrez, your krb5 release solved the problem for me. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Thanks very much for your help, I'll push this to lucid-proposed for a wider audience. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Description changed: Binary package hint: likewise-open Package: likewise-open Architecture: amd64 Version: 5.4.0.42111-1 uname: Linux 2.6.32-18-generic #27-Ubuntu SMP I am unable to join an AD domain. This machine was upgraded from 9.04 to 9.10, after that update, I was able to join the domain and things worked fine. I upgraded to 10.04, and the likewise-open upgrade failed. I cleaned the old likewise-open install, reinstalled likewise-open and was unable to join the domain. I also tried using the suggestions offered in Bug #543963, but that resulted in the same outcome which follows: sudo domainjoin-cli --loglevel verbose join mydomain.com adminuser Joining to AD Domain: mydomain.com With Computer DNS Name: mycomputer.mydomain.com adminu...@mydomain.com's password: (at this point the program pauses for 30 seconds to a minute) Error: Lsass Error [code 0x00080047] 59 (0x3B) ERROR_UNEXP_NET_ERR - Unknown error The last few syslog entries: Mar 30 10:19:07 mycomputer lwiod[17879]: GSS-API error calling gss_init_sec_context: 589824 (Invalid token was supplied) Mar 30 10:19:07 mycomputer lwiod[17879]: GSS-API error calling gss_init_sec_context: 13 () Mar 30 10:19:11 mycomputer lwiod[17879]: GSS-API error calling gss_init_sec_context: 589824 (Invalid token was supplied) Mar 30 10:19:11 mycomputer lwiod[17879]: GSS-API error calling gss_init_sec_context: 13 () Mar 30 10:19:12 mycomputer lwiod[17879]: GSS-API error calling gss_init_sec_context: 589824 (Invalid token was supplied) Mar 30 10:19:12 mycomputer lwiod[17879]: GSS-API error calling gss_init_sec_context: 13 () Mar 30 10:19:17 mycomputer lsassd[17901]: 0x7fee6ae8a710:Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') - error = 59, symbol = ERROR_UNEXP_NET_ERR, client pid = 17933 + + == SRU Report == + Impact: + It's impossible to use Likewise Open in lucid to join a domain with Windows 2000 Domain controllers. This is a regression from karmic and hardy. + + Development branch fix: + Maverick synced to Debian's 1.8.1+dfsg-5, which has the fix from upstream trunk backported. + + Minimal patch: + http://src.mit.edu/fisheye/changelog/krb5/?cs=24075 + This patch was proposed by the Likewise team and committed to krb5 upstream trunk. + + TEST CASE: + $ sudo apt-get install likewise-open + $ sudo domainjoin-cli join DOMAIN ADMINUSER + Affected version fails to join the domain. + Fixed version joins the domain OK. + + Regression potential: + The patch is quite sensitive, though the special handling seems limited to Windows 2000 duplicate response tokens. It has been thoroughly discussed between the Likewise developers, the Debian maintainer of krb5, and upstream. It's been applied in upstream krb5 and in the current debian version. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Fix uploaded to lucid-proposed. ** Changed in: krb5 (Ubuntu Lucid) Status: In Progress = Fix Committed -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Changed in: krb5 (Ubuntu Lucid) Assignee: (unassigned) = Thierry Carrez (ttx) ** Changed in: krb5 (Ubuntu) Milestone: lucid-updates = None -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
@Matt, Hernan: I uploaded a fixed version to my PPA, please see: https://launchpad.net/~ttx/+archive/ppa Once it's built (should take a couple hours), could you install that version and test that it fixes the issue without bringing in new issues ? If you confirm that this version fixes it, I'll upload it as a regular lucid update. Thanks for your help ! ** Changed in: krb5 (Ubuntu Lucid) Status: Confirmed = In Progress -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Thierry, it seems to work well. I have done the following : -In a Lucid PC upgraded from Karmic having the manual patched krb5 installed : leaved the domain, installed package version 1.8.1+dfsg-2 (which has the problem with windows 2000 domains), verified it cannot join the domain, installed 1.8.1+dfsg-2ubuntu1~ppa1 version and verified it correct join the domain, log-in using a domain account and access domain network resources -In a fresh Lucid PC : installed 1.8.1+dfsg-2ubuntu1~ppa1 version and verified it correct join the domain, log-in using a domain account, access domain network resources When joining the domain I got the warning: ** Warning: A resumable error occurred while processing a module Even though the configuration of 'hostname' was executed, the configuration did not fully complete. Please contact Likewise support. ** but everything worked as expected. Re-joining the domain does not issue the warning Hope this help! -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
This bug was fixed in the package krb5 - 1.8.1+dfsg-5 --- krb5 (1.8.1+dfsg-5) unstable; urgency=low * Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO (LP: #551901) * krb5-admin-server starts after krb5-kdc, Closes: #583494 krb5 (1.8.1+dfsg-4) unstable; urgency=low * fix prerm script (Closes: #577389), thanks Harald Dunkel -- Ubuntu Archive Auto-Sync arch...@ubuntu.com Fri, 28 May 2010 11:23:00 +0100 ** Changed in: krb5 (Ubuntu) Status: Confirmed = Fix Released -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Branch linked: lp:ubuntu/krb5 -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Sam: Not really, thanks for asking :) Maverick will sync with your fixed version, and I'll create a specific patched version for Lucid. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Patch has been committed upstream: Subject: [krbdev.mit.edu #6726] SVN Commit Apply patch from Arlene Berry to detect and ignore a duplicate mechanism token sent in the mechListMIC field, such as sent by Windows 2000 Server. http://src.mit.edu/fisheye/changelog/krb5/?cs=24075 Commit By: tlyu Revision: 24075 Changed Files: U trunk/src/lib/gssapi/spnego/spnego_mech.c -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
@Sam: let me know if you feel comfortable applying that patch now. Once it's fixed in sid/maverick, I'll push a SRU for lucid. @Jerry: This is an issue specific to Windows 2000 DCs, right ? -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Correct. My understanding is that we've only observed the issue on Windows 2000 DCs. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Thierry == Thierry Carrez thierry.car...@ubuntu.com writes: Thierry @Sam: let me know if you feel comfortable applying that Thierry patch now. Once it's fixed in sid/maverick, I'll push a SRU Thierry for lucid. Sure. I will attempt to get to it this weekend. Anything you want me to do to make the SRU process easier for you? --Sam -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Filed upstream as - SPNEGO doesn't interoperate with Windows 2000 [krbdev.mit.edu #6726] -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Right, we are missing two pieces of information: Someone familiar with the MIT SPNEGO code needs to look at the patch and confirm it actually ignores MIC tokens only when MIC tokens are optional. In particular, we want to confirm that if the mechanism supports integrity and a MIC token would be required either through request-mic state or because the acceptor didn't choose tho optimistic mechanism,that a MIC token is still required. -- This requires the patch to be discussed upstream, so it needs to be submitted there Confirm the impact is limited to Windows 2000 Server DCs -- Which versions of DCs are impacted, so that we can set the importance accordingly -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Gerald == Gerald Carter je...@plainjoe.org writes: Gerald I think Sam is wanting to know if likewise has submitted the Gerald patch to upstream MIT krb5. If that is the case, I'll check Gerald on the state of things and update the bug report. That is. Early on you mentioned you thought this had happened; I looked into it and could not find this patch upstream. --Sam -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Sorry Sam, but I don't fully understand how the patch become available in ubuntu releases. But I can confirm that last available package of krb5 in lucid repositories (krb5_1.8.1+dfsg-2) still have the bug/problem and the link giving in comment #6 correspond to and older version of krb5 (the line numbers does not match the last sources). Hope is resolved soon ! -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
I think Sam is wanting to know if likewise has submitted the patch to upstream MIT krb5. If that is the case, I'll check on the state of things and update the bug report. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Now is working fine in upgraded and fresh install lucid PCs In upgraded installation I have to rejoin the domain (patch package following the steps in : http://www.cyberciti.biz/faq/rebuilding-ubuntu-debian-linux-binary-package/ for the package krb5_1.8.1+dfsg-2.dsc) -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Changed in: krb5 (Ubuntu Lucid) Milestone: None = lucid-updates ** Changed in: krb5 (Ubuntu Lucid) Assignee: Thierry Carrez (ttx) = (unassigned) -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Changed in: krb5 (Ubuntu Lucid) Assignee: (unassigned) = Thierry Carrez (ttx) -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Tags added: patch -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Subscribing Jerry to get his opinion on impact. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
@Sam: Thank you very much for looking into this. We'll wait for your green light before including that patch in all cases. The sooner the better, but if that comes too late in Lucid preparation, we'll fix this in a post-release StableReleaseUpdate. @Jerry: Trying to assess the right bug importance for this. Could you confirm the impact is limited to Windows 2000 Server DCs ? -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
** Also affects: krb5 (Ubuntu Lucid) Importance: Undecided Status: Confirmed ** Changed in: krb5 (Ubuntu Lucid) Importance: Undecided = Medium -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
Moving to krb5 component for requesting inclusion of the spnego patch ** Package changed: likewise-open (Ubuntu) = krb5 (Ubuntu) ** Changed in: krb5 (Ubuntu) Assignee: Gerald Carter (coffeedude.jerry) = (unassigned) -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
I don't see a upstream krb5 bug for this issue. I would recommend against applying this patch until someone familiar with the SPNEGO security model and the code has evaluated it. Basically, certain versions of Windows produce bad SPNEGO tokens. It's appropriate to ignore these in some situations spelled out in the RFC, but creates a significant security issue in others. I suspect that this may be OK, but I don't have the spnego state machine in my head now, nor do I have the MIT SPNEGO code in my head now. The easiest way to get comfortable with this patch would be for upstream krb5 to evaluate it: they have been working on the SPNEGO code a lot lately so it would probably require less effort for them. -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
As best I can tell, the behavior of the patch is explicitly forbidden by RFC 4178 section 5; see II under clause B and C. However, I'll admit that the behavior described in Appendix C does not seem consistent with what I remember for Windows 2000... Perhaps that's only the Windows behavior for krb5 but not NTLM? -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 551901] Re: likewise-open fails to join Windows 2000 SP4 domain
OK, here's where this stands. We've been discussing on #krbdev, the upstream krb5 IRC channel. We agree that ignoring a MIC token that is an exact copy of the response token is security neutral and it looks like both upstream and I are comfortable making a change to do that even though it seems to go against text in RFC 4178. (I think RFC 4178 is overly conservative here). My argument for why it is security neutral is that an attacker could modify the token in transit and cause the same effect. So, either the protocol is already broken, or this does no harm. What needs to happen now is someone familiar with the MIT SPNEGO code needs to look at the patch and confirm it actually ignores MIC tokens only when MIC tokens are optional. In particular, we want to confirm that if the mechanism supports integrity and a MIC token would be required either through request-mic state or because the acceptor didn't choose tho optimistic mechanism,that a MIC token is still required. It may be relatively easy to argue that's the case--in particular if this patch affects the logic before the code evaluates whether MIC is required, then it's probably fine. I know I'm relatively busy today and I believe the others involved in the discussion so far have been similarly busy. --Sam -- likewise-open fails to join Windows 2000 SP4 domain https://bugs.launchpad.net/bugs/551901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
