2012-04-18 16:03:20 |
Mark Russell |
bug |
|
|
added bug |
2012-04-18 16:06:16 |
Mark Russell |
description |
Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."
In our case, setting "krb5_canonicalize = false" in sssd.conf solved the issue, but according to `man 5 sssd-krb5` it should be false by default:
"krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized. This feature is
available with MIT Kerberos >= 1.7
Default: false" |
Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."
In our case, setting "krb5_canonicalize = false" in sssd.conf solved the issue, but according to `man 5 sssd-krb5` it should be false by default:
"krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized. This
feature is available with MIT Kerberos >= 1.7
Default: false" |
|
2012-04-18 16:07:33 |
Mark Russell |
bug |
|
|
added subscriber Jason Sharp |
2012-04-18 16:12:37 |
Mark Russell |
description |
Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."
In our case, setting "krb5_canonicalize = false" in sssd.conf solved the issue, but according to `man 5 sssd-krb5` it should be false by default:
"krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized. This
feature is available with MIT Kerberos >= 1.7
Default: false" |
Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."
In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default:
"krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized. This
feature is available with MIT Kerberos >= 1.7
Default: false" |
|
2012-05-21 13:45:27 |
Timo Aaltonen |
bug watch added |
|
https://fedorahosted.org/sssd/ticket/1330 |
|
2012-05-21 13:45:27 |
Timo Aaltonen |
sssd (Ubuntu): importance |
Undecided |
High |
|
2012-05-21 13:45:27 |
Timo Aaltonen |
sssd (Ubuntu): status |
New |
Triaged |
|
2012-05-23 12:13:14 |
Timo Aaltonen |
sssd (Ubuntu): status |
Triaged |
Fix Committed |
|
2012-05-24 11:25:35 |
Launchpad Janitor |
sssd (Ubuntu): status |
Fix Committed |
Fix Released |
|
2012-05-24 12:22:30 |
Timo Aaltonen |
nominated for series |
|
Ubuntu Precise |
|
2012-05-24 12:22:30 |
Timo Aaltonen |
bug task added |
|
sssd (Ubuntu Precise) |
|
2012-05-24 12:23:04 |
Timo Aaltonen |
sssd (Ubuntu Precise): importance |
Undecided |
High |
|
2012-05-24 12:23:04 |
Timo Aaltonen |
sssd (Ubuntu Precise): status |
New |
Triaged |
|
2012-10-30 23:28:37 |
Timo Aaltonen |
sssd (Ubuntu Precise): status |
Triaged |
Incomplete |
|
2012-12-04 08:40:18 |
Timo Aaltonen |
description |
Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."
In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default:
"krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized. This
feature is available with MIT Kerberos >= 1.7
Default: false" |
[Impact]
credential cache can get corrupted
[Test case]
use cached credentials, notice how the file can get corrupted over time
[Regression potential]
small, included upstream since 1.8.4
[Other info]
Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."
In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default:
"krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized. This
feature is available with MIT Kerberos >= 1.7
Default: false" |
|
2012-12-04 08:40:31 |
Timo Aaltonen |
sssd (Ubuntu Precise): status |
Incomplete |
In Progress |
|
2012-12-04 08:43:26 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2013-01-30 23:49:07 |
Adam Conrad |
sssd (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2013-01-30 23:49:10 |
Adam Conrad |
bug |
|
|
added subscriber SRU Verification |
2013-01-30 23:49:13 |
Adam Conrad |
tags |
|
verification-needed |
|
2013-03-12 08:55:52 |
Timo Aaltonen |
tags |
verification-needed |
verification-done |
|
2013-03-13 12:59:51 |
Timo Aaltonen |
sssd (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|