[Replying from a duplicating issue:]
This affects any system using MIT's Kerberos in the 1.10 series prior to
1.10.2-final. To the best of my knowledge, no 1.11 series releases were
affected by this issue, and 1.9 remains affected. The upstream patch [1]
applies cleanly against the Ubuntu 12.04
This bug is fixed in Debian's krb5-1.10.1+dfsg-5.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/571572
Title:
krb5 prefers the reverse pointer no matter what for locating service
Additional experimentation indicates that Raring has a partial fix to
glibc that results in the observed libkrb5 behavior of rdns=false
working as intended. SRUs are still a good idea for earlier Ubuntu
releases. See also bug 1057526 for the underlying glibc bug.
--
You received this bug
I can see no obvious source code changes to the krb5 packages between
Quantal and Raring that would result in the observed behavior of
rdns=false functioning on stock Raring libkrb5-3 but not on Quantal.
It's possible that the underlying bug in glibc got fixed in the
meanwhile. I haven't
Ok i have done some testing with rdns=false or commented out
I have replaced our internal domain with testdomain and our kerberos realm with
EXAMPLE.COM
DNS:
dig searchsite.testdomain
searchsite.testdomain.2264INA10.0.0.10
dig sharepointsite.testdomain
sharepointsite.testdomain.
Quantal
requesting sharepointsite.testdomain with firefox with the following option set
in about:config
network.negotiate-auth.trusted-uris https://, http://;
klist
Default
principal:
Raring:
kinit testuser
klist
==
Default principal: testu...@example.com
Valid startingExpires Service principal
27/02/2013 08:28 27/02/2013 18:28 krbtgt/example@example.com
Precise
option rdns not set
requesting sharepointsite.testdomain with firefox with the following option set
in about:config
network.negotiate-auth.trusted-uris https://, http://;
klist
==
Hi Robie,
I'm also affected with this bug.
When rebuilding the source on quantal as described in comment:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/comments/15 the sso
to the problematic site disappears when setting rdns=false in krb5.conf.
But this is not the case for precise,
To answer questions about getting an update into 12.04, we need (from
https://wiki.ubuntu.com/StableReleaseUpdates):
An impact statement which explains who this bug affects (use cases), why this
is a problem and why we need an update in 12.04 for it.
A test case with exact steps to reproduce the
I would strongly recommend SRUs for all supported releases, because this
is a high-impact bug for people who are deploying krb5 in environments
where they do not have tight control over their reverse DNS information.
Experience has shown that this type of hard-to-debug DNS interaction
leads to a
Hi,
we are seeing the same problems with msktutil
(http://code.google.com/p/msktutil/issues/detail?id=11)
I seems to me that this issue is already fixed in the source packages. I
did a rebuild of libkrb5-3_1.10+dfsg~beta1-2ubuntu0.3 with these
sources:
Our fix in #6922 appears to itself have a bug; we believe that
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7124 resolves it. If you
need a back port, http://krbdev.mit.edu/rt/Ticket/Display.html?id=7164
is for krb5-1.9.x, and
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7184 is for
** Changed in: krb5 (Ubuntu)
Importance: Undecided = Medium
** Changed in: krb5 (Ubuntu)
Status: New = Confirmed
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are
Since the problem is in the clientside kerberos libraries it affects all
kerberos enabled stuff.
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Server
Tried.. had that before.. but doesn't work any more. (and isn't
documented in man krb5.conf either).
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
The Kerberos Consortium has a paper on integrating Kerberos into an
application; see http://www.kerberos.org/software/appskerberos.pdf .
I believe that the lucid behavior is correct according to MIT's
documentation: what should be happening is that
* with rdns=true (default), both forward and
Hi Sam.
I agree.. the current behaviors seems to be excactly what is in the code
and in the documentation.
Never the less it is a change from earlier versions of Ubuntu and a
change that makes Ubuntu + Firefox work in a different way than MS
Windows + MSIE (negoiating different tickets), thus
Jesper Krogh jes...@krogh.cc writes:
Never the less it is a change from earlier versions of Ubuntu and a
change that makes Ubuntu + Firefox work in a different way than MS
Windows + MSIE (negoiating different tickets), thus breaking Single
Signon in typical Kerberos enabled environments.. our
Well, everything should work fine if you make your DNS consistent.
Honestly if I was going to make a behavior change here I'd have Firefox
call gss_import_name with a name type that does not involve resolution.
--Sam
--
krb5 prefers the reverse pointer no matter what for locating service
Sam Hartman hartm...@debian.org writes:
Well, everything should work fine if you make your DNS consistent.
Honestly if I was going to make a behavior change here I'd have Firefox
call gss_import_name with a name type that does not involve resolution.
The main place where you cannot make DNS
Jesper == Jesper Krogh jes...@krogh.cc writes:
Jesper Hi Russ. I cannot say anything about what other are
Jesper Would a patch that makes the behaviour configurable be
Jesper acceptable?
I think that this patch should be accepted only if upstream is
interested in the patch. Given
In terms of work arounds, if your KDC is an AD KDc, you can add the
final hostnames as ServicePrincipalName attributes on AD for the account
in question. That should make things work either for a Windows server
or for a 1.7+ MIT server.
If your KDC is Unix you can add principals for the final
I agree that it is a partial workaround.. it fixes the Ubuntu/Firefox + apache
combination.
But without changing the same thing for all the IIS servers it would still
render my Ubuntu/Firefox + IIS SSO broken.
Since I only administrate the Linux stuff, and the other side
genereally are very
24 matches
Mail list logo