[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
William
571572 at bugs.launchpad.net
Tue Feb 26 21:52:22 UTC 2013
Hi Robie,
I'm also affected with this bug.
When rebuilding the source on quantal as described in comment: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/comments/15 the sso to the problematic site disappears when setting rdns=false in krb5.conf.
But this is not the case for precise, there it only works when patching the source from comment 15 with the original post.
Precise fix:
What i did was getting the source package for precise and patched it with:
https://github.com/krb5/krb5/commit/57738b357e8b03bcb7af2f147c97cb84d0ce96e2
install package libkrb5-3 libgssapi
After adding the rdns=false i can now authenticate sso to iis sites that were previously failing.
when commenting this option out (which is default) default behaviour is restored and i still can authenticate to servers that were previously working with e.g. mod_auth_kerb on apache but failed on iis sites.
I will try to setup raring desktop to test if the bug does not exist there.
Will try also patched version for quantal and explain my findings inclusive tickets in my ticket cache and cname/ptr/a records to those servers which were failing but working with the above patch.
William van de Velde.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/571572
Title:
krb5 prefers the reverse pointer no matter what for locating service
tickets.
Status in “krb5” package in Ubuntu:
Confirmed
Bug description:
I'm trying to upgrade workstations to lucid an fails to access our
kerberos enabled websites. It reveals that the krb5 implementation in
lucid now tries to resolve the "reverse dns" and aquire a tikket for
<service>/<reverse dns> instead of <service>/<what the user typed in
the first place>.
The latter behavior is what the MS environment does and is what Ubuntu
has done (i think) until Lucid. A diff of the sourcecode from hardy
revealse that we now hint the getaddrinfo with AI_CANONNAME which it
didnt before.
Applying below patch enables the old behaviour.
--- krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c.orig 2010-04-29 09:04:11.401567914 +0200
+++ krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c 2010-04-29 09:04:21.762191834 +0200
@@ -112,7 +112,7 @@
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
+// hints.ai_flags = AI_CANONNAME;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/+subscriptions
More information about the foundations-bugs
mailing list