Activity log for bug #985031

Date Who What changed Old value New value Message
2012-04-18 16:03:20 Mark Russell bug added bug
2012-04-18 16:06:16 Mark Russell description Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518 Quoting from the upstream description: "If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache." In our case, setting "krb5_canonicalize = false" in sssd.conf solved the issue, but according to `man 5 sssd-krb5` it should be false by default: "krb5_canonicalize (boolean) Specifies if the host and user principal should be canonicalized. This feature is available with MIT Kerberos >= 1.7 Default: false" Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518 Quoting from the upstream description: "If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache." In our case, setting "krb5_canonicalize = false" in sssd.conf solved the issue, but according to `man 5 sssd-krb5` it should be false by default: "krb5_canonicalize (boolean)            Specifies if the host and user principal should be canonicalized. This feature is available with MIT Kerberos >= 1.7            Default: false"
2012-04-18 16:07:33 Mark Russell bug added subscriber Jason Sharp
2012-04-18 16:12:37 Mark Russell description Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518 Quoting from the upstream description: "If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache." In our case, setting "krb5_canonicalize = false" in sssd.conf solved the issue, but according to `man 5 sssd-krb5` it should be false by default: "krb5_canonicalize (boolean)            Specifies if the host and user principal should be canonicalized. This feature is available with MIT Kerberos >= 1.7            Default: false" Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518 Quoting from the upstream description: "If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache." In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default: "krb5_canonicalize (boolean)            Specifies if the host and user principal should be canonicalized. This            feature is available with MIT Kerberos >= 1.7            Default: false"
2012-05-21 13:45:27 Timo Aaltonen bug watch added https://fedorahosted.org/sssd/ticket/1330
2012-05-21 13:45:27 Timo Aaltonen sssd (Ubuntu): importance Undecided High
2012-05-21 13:45:27 Timo Aaltonen sssd (Ubuntu): status New Triaged
2012-05-23 12:13:14 Timo Aaltonen sssd (Ubuntu): status Triaged Fix Committed
2012-05-24 11:25:35 Launchpad Janitor sssd (Ubuntu): status Fix Committed Fix Released
2012-05-24 12:22:30 Timo Aaltonen nominated for series Ubuntu Precise
2012-05-24 12:22:30 Timo Aaltonen bug task added sssd (Ubuntu Precise)
2012-05-24 12:23:04 Timo Aaltonen sssd (Ubuntu Precise): importance Undecided High
2012-05-24 12:23:04 Timo Aaltonen sssd (Ubuntu Precise): status New Triaged
2012-10-30 23:28:37 Timo Aaltonen sssd (Ubuntu Precise): status Triaged Incomplete
2012-12-04 08:40:18 Timo Aaltonen description Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518 Quoting from the upstream description: "If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache." In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default: "krb5_canonicalize (boolean)            Specifies if the host and user principal should be canonicalized. This            feature is available with MIT Kerberos >= 1.7            Default: false" [Impact] credential cache can get corrupted [Test case] use cached credentials, notice how the file can get corrupted over time [Regression potential] small, included upstream since 1.8.4 [Other info] Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518 Quoting from the upstream description: "If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache." In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default: "krb5_canonicalize (boolean)            Specifies if the host and user principal should be canonicalized. This            feature is available with MIT Kerberos >= 1.7            Default: false"
2012-12-04 08:40:31 Timo Aaltonen sssd (Ubuntu Precise): status Incomplete In Progress
2012-12-04 08:43:26 Timo Aaltonen bug added subscriber Ubuntu Stable Release Updates Team
2013-01-30 23:49:07 Adam Conrad sssd (Ubuntu Precise): status In Progress Fix Committed
2013-01-30 23:49:10 Adam Conrad bug added subscriber SRU Verification
2013-01-30 23:49:13 Adam Conrad tags verification-needed
2013-03-12 08:55:52 Timo Aaltonen tags verification-needed verification-done
2013-03-13 12:59:51 Timo Aaltonen sssd (Ubuntu Precise): status Fix Committed Fix Released