Ubuntu
libnss-ldap package

Feature request - Enable Kerberos keytab handling

Bug #179440 reported by Karoly Molnar
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Binary package hint: libnss-ldap

Dear Maintainers,

I'd like to request the --enable-configurable-krb5-keytab compiler flag to be included in the libnss-ldap package for the upcoming Hardy release. This feature makes it more easy and secure to set up a Kerberos and LDAP based Single Sign On solution.

With the already enabled (--enable-configurable-krb5-ccname-gssapi compiler flag) functionality one needs to set up a cron job which initializes and keeps open a kerberos session which is later used by the nss library. With the above mentioned new flag one can just simply specify a kerberos keytab file which then will be used by the library itself to initialize and maintain the kerberos session. It also makes the system more secure since there's no kerberos credentials (ticket) cache file on the file system, it is stored in the memory instead.

If needed I can provide more information on the topic.

Thank you,
Karoly Molnar
Engineering Lead
Free Open Source Solutions Inc.

Revision history for this message
Karoly Molnar (karoly-molnar) wrote :

Hi,

I recompiled the package with the above mentioned flag in my ppa: https://launchpad.net/~karoly-molnar/+archive

I'll test it and report,
Karoly

Revision history for this message
Karoly Molnar (karoly-molnar) wrote :

The upstream code is broken.

Bug description:
The code that checks the keytab file is not handling the output of the krb5_kt_get_name function call properly. The developer expected only the file name in the output as it is with the krb5_cc_get_name function. However the output of this function is "<prefix>:<name of the key table>" hence the next function call which checks that the file is accessible with the given UID and GID fails miserably.

I created a patch and with it everything works as expected. The package is updated on my PPA and will be going under heavy test soon.

Next task is to push the fix upstream.

Revision history for this message
Karoly Molnar (karoly-molnar) wrote :

Bug is reported to padl.com's bugzilla:
http://bugzilla.padl.com/show_bug.cgi?id=368

Revision history for this message
Chuck Short (zulcss) wrote :

Thanks for the bug report. We might be able to add this option in karmic+1.

Regards
chuck

Changed in libnss-ldap (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
Karoly Molnar (karoly-molnar) wrote :

I had a word with the developer approximately 6 month ago and they fixed the bug and the kerberos keytab handling is fully supported. It can be enabled only by adding a compiler option there's no need for patching.

Thanks,
Karoly

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.