[Bug 874130] Re: Canonicalize fallback only works for different realm (MITKRB RT #6917)

Steve Beattie sbeattie at ubuntu.com
Wed Oct 19 01:52:39 UTC 2011 

Unfortunately, the version in oneiric-proposed was superceded by a
security update to krb5 (though the versioning of the proposed version
doesn't correctly reflect that) in USN 1233-1
http://www.ubuntu.com/usn/usn-1233-1/.

Attached is a debdiff against the version of krb5 in oneiric-security,
with a version that supercedes the current version in oneiric-proposed
(it also follows the debian krb maintainer's style of applying patches
inline while documenting them by placing a copy of the patch in
debian/patches).

Thanks, and my apologies that this occurred; the krb5 security update
was embargoed until today.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/874130

Title:
  Canonicalize fallback only works for different realm (MITKRB RT #6917)

Status in “krb5” package in Ubuntu:
  Triaged
Status in “krb5” source package in Oneiric:
  Fix Committed
Status in “krb5” source package in Precise:
  Triaged
Status in “krb5” package in Debian:
  Fix Released

Bug description:
  SRU justification:
   krb5 1.9.1 breaks interoperability with older KDCs.  If you have a Kerberos realm with one of these older KDCs that does not implement the "canonicalize" option, oneiric's will be unusable as a Kerberos client for this realm.

  See RedHat bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=713518.

  Quoting:
  Certain versions of the KDC software (included for example
  in Red Hat Enterprise Linux 2.1 and 3) reject requests,
  which include KDC options the software does not recognize,
  and do not support the "canonicalize" option. When a client
  was configured to use one of these versions of the KDC
  software, the client failed to obtain credentials for
  authentication to other services. This interoperability
  regression was introduced in the update to Red Hat
  Enterprise Linux 6.1. With this update, an upstream patch
  has been provided to fix this bug.

  I have applied the patch provided on this bugzilla page, and this
  fixed the problem.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: libkrb5-3 1.9.1+dfsg-1ubuntu1
  ProcVersionSignature: Ubuntu 3.0.0-12.20-generic-pae 3.0.4
  Uname: Linux 3.0.0-12-generic-pae i686
  NonfreeKernelModules: nvidia
  ApportVersion: 1.23-0ubuntu3
  Architecture: i386
  Date: Fri Oct 14 15:56:20 2011
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
  SourcePackage: krb5
  UpgradeStatus: Upgraded to oneiric on 2011-10-13 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/874130/+subscriptions

More information about the foundations-bugs mailing list