Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()

the upstream patch can't be backported as is, since it caused https://fedorahosted.org/sssd/ticket/1330

so that one needs to be fixed first

I've pulled the three commits for this, waiting in git.

This bug was fixed in the package sssd - 1.8.3-0ubuntu1

---------------
sssd (1.8.3-0ubuntu1) quantal; urgency=low

  * Merge from Debian git, remaining changes:
    - control, rules: Drop libsemanage-dev from build-depends, it's not
      in main. Configure --with-semanage=no.

sssd (1.8.3-1) UNRELEASED; urgency=low

  * New upstream bugfix release 1.8.2.
    - Several fixes to case-insensitive domain functions
    - Fix for GSSAPI binds when the keytab contains unrelated
      principals
    - Fixed several segfaults
    - Workarounds added for LDAP servers with unreadable RootDSE
    - SSH knownhostproxy will no longer enter an infinite loop
      preventing login
    - The provided SYSV init script now starts SSSD earlier at startup
      and stops it later during shutdown
    - Assorted minor fixes for issues discovered by static analysis
      tools
  * New upstream bugfix release 1.8.3.
    - Numerous manpage and translation updates
    - LDAP: Handle situations where the RootDSE isn't available anonymously
    - LDAP: Fix regression for users using non-standard LDAP attributes for
      user information
  * control: Move the dependency of libsasl2-modules-gssapi-mit to
    Recommends.
  * control: sssd works with Heimdal gssapi modules too, add
    libsasl2-modules-gssapi-mit as an option for the Recommends.
    (LP: #966146)
  * libpam-sss.pam-auth-update:
    - Drop the dependency to 128, since pam_sss should always be below
      pam_unix. (LP: #957486)
    - Drop 'use_authtok' from the password stack, since it only works when
      pam_cracklib is installed. This will allow password changes on the
      default install.
  * sssd.postrm: Try to remove /etc/sssd only if it exists.
    (Closes: #666226)
  * Add disabled by default Apparmor profile (LP: #933342)
    - debian/sssd.upstart.in: load the profile during pre-start
    - add debian/apparmor-profile, install to /etc/apparmor.d
    - debian/rules: use dh_apparmor to install profile before sssd is
      restarted
    - debian/control: sssd Suggests apparmor (>= 2.3)
    - debian/control: Add dh-apparmor to build-depends
    - debian/sssd.preinst: disable profile on clean install or upgrades
      from earlier than when we shipped the profile
  * rules: Mangle the date stamp on pam_sss.8 so that the compressed file is
    identical across all archs. (Closes: #670019)
  * control: Add build-depends on libnl-dev to enable Netlink support.
  * control: Add build-depends on libkeyutil-dev to enable support for
    kernel keyring manipulation.
  * sssd.logrotate: Rotate logs weekly, keep four previous rotations.
    (Closes: #672984)
  * Pull patches from the stable branch to fix an issue that results in broken
    credential cache (LP: #985031)
    - patches/fix-upstream-1298.diff
      If canon'ing principals, write ccache with updated default principal
    - patches/fix-upstream-1297.diff
      Limit krb5_get_init_creds_keytab() to etypes in keytab
    - patches/fix-upstream-1330.diff
      KRB5: Avoid NULL-dereference with empty keytab
  * patches/fix-upstream-1343.diff
    - LDAP nested groups: Do not process callback with _post deep in the nested
      structure (LP: #981125)
...

keeping open for precise for a SRU

Uploaded a new package for precise to https://launchpad.net/~sssd/+archive/updates

please test, it'll get SRU'd next.

Hello Mark, or anyone else affected,

Accepted sssd into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sssd/1.8.6-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This bug was fixed in the package sssd - 1.8.6-0ubuntu0.2

---------------
sssd (1.8.6-0ubuntu0.2) precise-proposed; urgency=low

  * rules: Really install the new pam-auth-update file for password
    changes. (LP: #1086272)
  * rules: Pass --datadir, so the path in autogenerated python files is
    correctly substituted. (LP: #1079938)