[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
William
571572 at bugs.launchpad.net
Wed Feb 27 09:41:16 UTC 2013
Quantal
requesting sharepointsite.testdomain with firefox with the following option set in about:config
network.negotiate-auth.trusted-uris "https://, http://"
klist
====================================================================================================Default principal: testuser at EXAMPLE.COM
Valid starting Expires Service principal
27/02/2013 08:35 27/02/2013 18:35 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 28/02/2013 08:35
====================================================================================================
option rdns=false
klist
====================================================================================================
Default principal: testuser at EXAMPLE.COM
Valid starting Expires Service principal
27/02/2013 08:35 27/02/2013 18:35 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 28/02/2013 08:35
27/02/2013 08:37 27/02/2013 18:35 HTTP/searchsite.testdomain@
renew until 28/02/2013 08:35
27/02/2013 08:37 27/02/2013 18:35 HTTP/searchsite.testdomain at EXAMPLE.COM
renew until 28/02/2013 08:35
====================================================================================================
This results in a request for a ticket for the wrong name and no sso.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Rebuilding kerberos for quantal
apt-get build-dep libkrb5-3
apt-get source libkrb5-3
edit src/lib/krb5/os/sn2princ.c
//hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
hints.ai_flags = AI_CANONNAME;
rebuild:
fakeroot debian/rules binary
dpkg -i ../libkrb5-3.........deb
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
retest Quantal
option rdns not set
requesting sharepointsite.testdomain with firefox with the following option set in about:config
network.negotiate-auth.trusted-uris "https://, http://"
klist
====================================================================================================
Default principal: testuser at EXAMPLE.COM
Valid starting Expires Service principal
27/02/2013 08:53 27/02/2013 18:53 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 28/02/2013 08:53
27/02/2013 08:54 27/02/2013 18:53 HTTP/searchsite.testdomain@
renew until 28/02/2013 08:53
27/02/2013 08:54 27/02/2013 18:53 HTTP/searchsite.testdomain at EXAMPLE.COM
renew until 28/02/2013 08:53
====================================================================================================
option rdns=false
klist
====================================================================================================
Default principal: testuser at EXAMPLE.COM
Valid starting Expires Service principal
27/02/2013 08:59 27/02/2013 18:59 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 28/02/2013 08:59
27/02/2013 09:00 27/02/2013 18:59 HTTP/sharepointsite.testdomain@
renew until 28/02/2013 08:59
27/02/2013 09:00 27/02/2013 18:59 HTTP/sharepointsite.testdomain at EXAMPLE.COM
renew until 28/02/2013 08:59
====================================================================================================
Now the setting rdns=false causes sso to work.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/571572
Title:
krb5 prefers the reverse pointer no matter what for locating service
tickets.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/+subscriptions
More information about the Ubuntu-server-bugs
mailing list