Ubuntu
krb5 package

Bug #571572
Comment #21

Comment 21 for bug 571572

Revision history for this message

William (kc-cobradevil) wrote on 2013-02-27:

#21

Quantal
requesting sharepointsite.testdomain with firefox with the following option set in about:config
network.negotiate-auth.trusted-uris "https://, http://"
klist
====================================================================================================Default principal: <email address hidden>

Valid starting Expires Service principal
27/02/2013 08:35 27/02/2013 18:35 <email address hidden>
renew until 28/02/2013 08:35
====================================================================================================

option rdns=false
klist
====================================================================================================
Default principal: <email address hidden>

Valid starting Expires Service principal
27/02/2013 08:35 27/02/2013 18:35 <email address hidden>
        renew until 28/02/2013 08:35
27/02/2013 08:37 27/02/2013 18:35 HTTP/searchsite.testdomain@
        renew until 28/02/2013 08:35
27/02/2013 08:37 27/02/2013 18:35 <email address hidden>
        renew until 28/02/2013 08:35
====================================================================================================
This results in a request for a ticket for the wrong name and no sso.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Rebuilding kerberos for quantal
apt-get build-dep libkrb5-3
apt-get source libkrb5-3
edit src/lib/krb5/os/sn2princ.c
//hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
hints.ai_flags = AI_CANONNAME;

rebuild:
fakeroot debian/rules binary
dpkg -i ../libkrb5-3.........deb

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
retest Quantal
option rdns not set
requesting sharepointsite.testdomain with firefox with the following option set in about:config
network.negotiate-auth.trusted-uris "https://, http://"
klist
====================================================================================================
Default principal: <email address hidden>

Valid starting Expires Service principal
27/02/2013 08:53 27/02/2013 18:53 <email address hidden>
        renew until 28/02/2013 08:53
27/02/2013 08:54 27/02/2013 18:53 HTTP/searchsite.testdomain@
        renew until 28/02/2013 08:53
27/02/2013 08:54 27/02/2013 18:53 <email address hidden>
        renew until 28/02/2013 08:53

====================================================================================================

option rdns=false
klist
====================================================================================================
Default principal: <email address hidden>

Valid starting Expires Service principal
27/02/2013 08:59 27/02/2013 18:59 <email address hidden>
        renew until 28/02/2013 08:59
27/02/2013 09:00 27/02/2013 18:59 HTTP/sharepointsite.testdomain@
        renew until 28/02/2013 08:59
27/02/2013 09:00 27/02/2013 18:59 <email address hidden>
        renew until 28/02/2013 08:59
====================================================================================================

Now the setting rdns=false causes sso to work.

Valid starting    Expires           Service principal
27/02/2013 08:35  27/02/2013 18:35  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 28/02/2013 08:35
====================================================================================================

option rdns=false
klist
====================================================================================================
Default principal: testuser@EXAMPLE.COM

Valid starting    Expires           Service principal
27/02/2013 08:35  27/02/2013 18:35  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 28/02/2013 08:35
27/02/2013 08:37  27/02/2013 18:35  HTTP/searchsite.testdomain@
        renew until 28/02/2013 08:35
27/02/2013 08:37  27/02/2013 18:35  HTTP/searchsite.testdomain@EXAMPLE.COM
        renew until 28/02/2013 08:35
====================================================================================================
This results in a request for a ticket for the wrong name and no sso.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Rebuilding kerberos for quantal
apt-get build-dep libkrb5-3
apt-get source libkrb5-3
edit src/lib/krb5/os/sn2princ.c
            //hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
            hints.ai_flags = AI_CANONNAME;

rebuild:
fakeroot debian/rules binary
dpkg -i ../libkrb5-3.........deb

Valid starting    Expires           Service principal
27/02/2013 08:53  27/02/2013 18:53  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 28/02/2013 08:53
27/02/2013 08:54  27/02/2013 18:53  HTTP/searchsite.testdomain@
        renew until 28/02/2013 08:53
27/02/2013 08:54  27/02/2013 18:53  HTTP/searchsite.testdomain@EXAMPLE.COM
        renew until 28/02/2013 08:53

====================================================================================================

option rdns=false
klist
====================================================================================================
Default principal: testuser@EXAMPLE.COM

Valid starting    Expires           Service principal
27/02/2013 08:59  27/02/2013 18:59  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 28/02/2013 08:59
27/02/2013 09:00  27/02/2013 18:59  HTTP/sharepointsite.testdomain@
        renew until 28/02/2013 08:59
27/02/2013 09:00  27/02/2013 18:59  HTTP/sharepointsite.testdomain@EXAMPLE.COM
        renew until 28/02/2013 08:59
====================================================================================================

Now the setting rdns=false causes sso to work.

Ubuntukrb5 package

Comment 21 for bug 571572

Ubuntu
krb5 package