[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
Nathan Rosenblum
nater at maginatics.com
Mon Dec 23 22:41:19 UTC 2013
[Replying from a duplicating issue:]
This affects any system using MIT's Kerberos in the 1.10 series prior to
1.10.2-final. To the best of my knowledge, no 1.11 series releases were
affected by this issue, and 1.9 remains affected. The upstream patch [1]
applies cleanly against the Ubuntu 12.04 krb5-1.10+dfsg~beta1 source
package, with which I've successfully built and deployed my own
packages.
I believe that all Ubuntu versions from Precise through Saucy are
affected, though maybe some of the later variants (I have only looked
into Precise) have a glibc that fixes the underlying issue. There is no
harm in applying both the workaround here and the glibc fix.
[1]
https://github.com/krb5/krb5/commit/57738b357e8b03bcb7af2f147c97cb84d0ce96e2
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/571572
Title:
krb5 prefers the reverse pointer no matter what for locating service
tickets.
Status in “krb5” package in Ubuntu:
Confirmed
Bug description:
I'm trying to upgrade workstations to lucid an fails to access our
kerberos enabled websites. It reveals that the krb5 implementation in
lucid now tries to resolve the "reverse dns" and aquire a tikket for
<service>/<reverse dns> instead of <service>/<what the user typed in
the first place>.
The latter behavior is what the MS environment does and is what Ubuntu
has done (i think) until Lucid. A diff of the sourcecode from hardy
revealse that we now hint the getaddrinfo with AI_CANONNAME which it
didnt before.
Applying below patch enables the old behaviour.
--- krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c.orig 2010-04-29 09:04:11.401567914 +0200
+++ krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c 2010-04-29 09:04:21.762191834 +0200
@@ -112,7 +112,7 @@
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
+// hints.ai_flags = AI_CANONNAME;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/+subscriptions
More information about the foundations-bugs
mailing list