[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

William 571572 at bugs.launchpad.net
Tue Feb 26 21:52:22 UTC 2013


Hi Robie,

I'm also affected with this bug.
When rebuilding the source on quantal as described in comment: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/comments/15 the sso to the problematic site disappears when setting rdns=false in krb5.conf.
But this is not the case for precise, there it only works when patching the source from comment 15 with the original post.

Precise fix:
What i did was getting the source package for precise and patched it with:
https://github.com/krb5/krb5/commit/57738b357e8b03bcb7af2f147c97cb84d0ce96e2
install package libkrb5-3 libgssapi
After adding the rdns=false i can now authenticate sso to iis sites that were previously failing.
when commenting this option out (which is default) default behaviour is restored and i still can authenticate to servers that were previously working with e.g. mod_auth_kerb on apache but failed on iis sites.

I will try to setup raring desktop to test if the bug does not exist there.
Will try also patched version for quantal and explain my findings inclusive tickets in my ticket cache and cname/ptr/a records to those servers which were failing but working with the above patch.

William van de Velde.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/571572

Title:
  krb5 prefers the reverse pointer no matter what for locating service
  tickets.

Status in “krb5” package in Ubuntu:
  Confirmed

Bug description:
  I'm trying to upgrade workstations to lucid an fails to access our
  kerberos enabled websites. It reveals that the krb5 implementation in
  lucid now tries to resolve the "reverse dns" and aquire a tikket for
  <service>/<reverse dns> instead of <service>/<what the user typed in
  the first place>.

  The latter behavior is what the MS environment does and is what Ubuntu
  has done (i think) until Lucid. A diff of the sourcecode from hardy
  revealse that we now hint the getaddrinfo with AI_CANONNAME which it
  didnt before.

  Applying below patch enables the old behaviour.

  --- krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c.orig	2010-04-29 09:04:11.401567914 +0200
  +++ krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c	2010-04-29 09:04:21.762191834 +0200
  @@ -112,7 +112,7 @@
   
               memset(&hints, 0, sizeof(hints));
               hints.ai_family = AF_INET;
  -            hints.ai_flags = AI_CANONNAME;
  +//            hints.ai_flags = AI_CANONNAME;
           try_getaddrinfo_again:
               err = getaddrinfo(hostname, 0, &hints, &ai);
               if (err) {

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/+subscriptions




More information about the foundations-bugs mailing list