After failed auth, subsequent auths in same context fail

Thanks for taking the time to report this bug in Ubuntu.

As 12.04 is running 1.10+dfsg~beta1 we will need to pickup this fix.

Fix: http://src.mit.edu/fisheye/changelog/krb5/?cs=25822

Upstream bug: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7119

Russ

In order to put this fix into Ubuntu 12.04 we will need a good test case to reproduce the issue.

Is this something you could provide?

Thanks

I have a test case, but I'm not sure you'll particularly enjoy it, since it isn't in a neatly isolated form. But if you:

    git clone git://git.eyrie.org/kerberos/pam-krb5.git
    cd pam-krb5
    ./autogen
    ./configure

and then add the username and password of an account in a test Kerberos realm to tests/config/password following the instructions in tests/config/README, and then run:

    make check

you will find that the bad-authtok test fails as follows:

module/bad-authtok......FAILED 9-10, 13, 34-35, 41-49

This is how I found the problem originally.

The problem is not reproducible without having access to a Kerberos realm to use to test with, unfortunately, since you have to be able to try a failed and then successful authetnication to see the problem.

Russ: thanks for the test case! I've turned this into a script that doesn't depend on an existing Kerberos realm. But the script does rely on git.eyrie.org as the current Debian pam-krb5 doesn't appear to have the test that we need.

I've used the test case to verify that this bug is fixed if I build and install the latest Debian 1.10.1+dfsg-1 in Ubuntu by hand. Thus this bug will be fixed in the development release of Ubuntu as soon as we resync from Debian.

I've also prepared an SRU for precise, test built it, and tested both upgrade and fresh install using the test case.

Oh, wow, great job with the test case. It wouldn't have occurred to me to just do that. (And yes, you have to use the Git version because I've been adding a ton of new tests compared to the latest full release.)

The attachment "krb5.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Verified fixed on Quantal. Just need the SRU for Precise now. Note that the test script fails some other tests. This bug addresses the "module/bad-authtok" test only.

I've uploaded the debdiff to precise-proposed.

Hello Russ, or anyone else affected,

Accepted krb5 into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

The test cases passes from -proposed. I've successfully tested both a fresh install and an upgrade with the test case I attached above.

This bug was fixed in the package krb5 - 1.10+dfsg~beta1-2ubuntu0.1

---------------
krb5 (1.10+dfsg~beta1-2ubuntu0.1) precise-proposed; urgency=low

  * debian/patches/preauth-context.patch: fix preauth context initialisation
    (LP: #988520).
 -- Robie Basak <email address hidden> Tue, 15 May 2012 02:33:57 +0000