Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
credential cache can get corrupted
[Test case]
use cached credentials, notice how the file can get corrupted over time
[Regression potential]
small, included upstream since 1.8.4
[Other info]
Known upstream bug, see: https:/
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_
In our case, setting "krb5_canonicalize = false" in sssd.conf worked around the issue, but according to `man 5 sssd-krb5` it should be false by default:
"krb5_canonicalize (boolean)
feature is available with MIT Kerberos >= 1.7
Default: false"
description: | updated |
description: | updated |
description: | updated |
Changed in sssd (Ubuntu Precise): | |
status: | Incomplete → In Progress |
tags: |
added: verification-done removed: verification-needed |
the upstream patch can't be backported as is, since it caused https:/ /fedorahosted. org/sssd/ ticket/ 1330
so that one needs to be fixed first