[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

Nathan Rosenblum nater at maginatics.com
Mon Dec 23 22:41:19 UTC 2013 

[Replying from a duplicating issue:]

This affects any system using MIT's Kerberos in the 1.10 series prior to
1.10.2-final. To the best of my knowledge, no 1.11 series releases were
affected by this issue, and 1.9 remains affected. The upstream patch [1]
applies cleanly against the Ubuntu 12.04 krb5-1.10+dfsg~beta1 source
package, with which I've successfully built and deployed my own
packages.

I believe that all Ubuntu versions from Precise through Saucy are
affected, though maybe some of the later variants (I have only looked
into Precise) have a glibc that fixes the underlying issue. There is no
harm in applying both the workaround here and the glibc fix.

[1]
https://github.com/krb5/krb5/commit/57738b357e8b03bcb7af2f147c97cb84d0ce96e2

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/571572

Title:
  krb5 prefers the reverse pointer no matter what for locating service
  tickets.

Status in “krb5” package in Ubuntu:
  Confirmed

Bug description:
  I'm trying to upgrade workstations to lucid an fails to access our
  kerberos enabled websites. It reveals that the krb5 implementation in
  lucid now tries to resolve the "reverse dns" and aquire a tikket for
  <service>/<reverse dns> instead of <service>/<what the user typed in
  the first place>.

  The latter behavior is what the MS environment does and is what Ubuntu
  has done (i think) until Lucid. A diff of the sourcecode from hardy
  revealse that we now hint the getaddrinfo with AI_CANONNAME which it
  didnt before.

  Applying below patch enables the old behaviour.

  --- krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c.orig	2010-04-29 09:04:11.401567914 +0200
  +++ krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c	2010-04-29 09:04:21.762191834 +0200
  @@ -112,7 +112,7 @@
   
               memset(&hints, 0, sizeof(hints));
               hints.ai_family = AF_INET;
  -            hints.ai_flags = AI_CANONNAME;
  +//            hints.ai_flags = AI_CANONNAME;
           try_getaddrinfo_again:
               err = getaddrinfo(hostname, 0, &hints, &ai);
               if (err) {

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/+subscriptions

More information about the foundations-bugs mailing list