Ubuntu
krb5 package

Canonicalize fallback only works for different realm (MITKRB RT #6917)

Bug #874130 reported by Ivan Razumov
54
This bug affects 7 people
Affects Status Importance Assigned to Milestone
krb5 (Debian)
Fix Released
Unknown
krb5 (Ubuntu)
Fix Released
High
Unassigned
Oneiric
Fix Released
High
Steve Langasek
Precise
Fix Released
High
Unassigned

Bug Description

SRU justification:
 krb5 1.9.1 breaks interoperability with older KDCs. If you have a Kerberos realm with one of these older KDCs that does not implement the "canonicalize" option, oneiric's will be unusable as a Kerberos client for this realm.

See RedHat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=713518.

Quoting:
Certain versions of the KDC software (included for example
in Red Hat Enterprise Linux 2.1 and 3) reject requests,
which include KDC options the software does not recognize,
and do not support the "canonicalize" option. When a client
was configured to use one of these versions of the KDC
software, the client failed to obtain credentials for
authentication to other services. This interoperability
regression was introduced in the update to Red Hat
Enterprise Linux 6.1. With this update, an upstream patch
has been provided to fix this bug.

I have applied the patch provided on this bugzilla page, and this fixed the problem.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libkrb5-3 1.9.1+dfsg-1ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic-pae 3.0.4
Uname: Linux 3.0.0-12-generic-pae i686
NonfreeKernelModules: nvidia
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Fri Oct 14 15:56:20 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
SourcePackage: krb5
UpgradeStatus: Upgraded to oneiric on 2011-10-13 (0 days ago)

See original description
Revision history for this message
Ivan Razumov (iarspider) wrote :
Revision history for this message
Ivan Razumov (iarspider) wrote :
description: updated
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to re-enable same-realm fallback for canonicalize errors" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Ivan Razumov (iarspider) wrote :

It appears that the patch has also been put into the upstream Debian libkrb5-3 package (libkrb5-3_1.9.1+dfsg-3) from the unstable branch but hasn't been picked up by Ubuntu.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

For precise, this should be fixed in short order by merging the latest Debian version.

Changed in krb5 (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Changed in krb5 (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → High
Bug Watch Updater (bug-watch-updater)
Changed in krb5 (Debian):
status: Unknown → Fix Released
Steve Langasek (vorlon)
Changed in krb5 (Ubuntu Oneiric):
status: Triaged → In Progress
assignee: nobody → Steve Langasek (vorlon)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Ivan, or anyone else affected,

Accepted krb5 into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in krb5 (Ubuntu Oneiric):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Ivan Razumov (iarspider) wrote :

I confirm the fix.

Steve Langasek (vorlon)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Unfortunately, the version in oneiric-proposed was superceded by a security update to krb5 (though the versioning of the proposed version doesn't correctly reflect that) in USN 1233-1 http://www.ubuntu.com/usn/usn-1233-1/.

Attached is a debdiff against the version of krb5 in oneiric-security, with a version that supercedes the current version in oneiric-proposed (it also follows the debian krb maintainer's style of applying patches inline while documenting them by placing a copy of the patch in debian/patches).

Thanks, and my apologies that this occurred; the krb5 security update was embargoed until today.

Revision history for this message
Steve Beattie (sbeattie) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

krb5 1ubuntu2.1 reuploaded.

Changed in krb5 (Ubuntu Oneiric):
status: Fix Committed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Hello Ivan, or anyone else affected,

Accepted krb5 into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in krb5 (Ubuntu Oneiric):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Ivan Razumov (iarspider) wrote :

Fix confirmed (for my minimal needs, at least)

Steve Langasek (vorlon)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.9.1+dfsg-1ubuntu2.1

---------------
krb5 (1.9.1+dfsg-1ubuntu2.1) oneiric-proposed; urgency=low

  * src/lib/krb5/krb/get_creds.c: cherry pick an upstream fix to allow
    clients to work against older versions of KDCs that don't support the
    "canonicalize" option. LP: #874130.
 -- Steve Langasek <email address hidden> Tue, 18 Oct 2011 18:40:10 -0700

Changed in krb5 (Ubuntu Precise):
status: Triaged → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

copied to precise.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.9.1+dfsg-1ubuntu2.1

---------------
krb5 (1.9.1+dfsg-1ubuntu2.1) oneiric-proposed; urgency=low

  * src/lib/krb5/krb/get_creds.c: cherry pick an upstream fix to allow
    clients to work against older versions of KDCs that don't support the
    "canonicalize" option. LP: #874130.
 -- Steve Langasek <email address hidden> Tue, 18 Oct 2011 18:40:10 -0700

Changed in krb5 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.