Your message dated Sat, 11 Dec 2010 01:32:24 +0000
with message-id <[email protected]>
and subject line Bug#604925: fixed in krb5 1.9+dfsg~beta2-1
has caused the Debian Bug report #604925,
regarding Squeeze krb5 fails to work with Open Directory KDC tickets
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
604925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgssapi-krb5-2
Version: 1.8.3+dfsg-2
Severity: grave
File: /usr/lib/libgssapi_krb5.so.2
My system uses kerberos to authenticate users to ssh. After upgrading a server
to squeeze logging in is no longer possible (this could satisfy critical
severity). Unfortunately debugging this turned out to be harder than expected,
because gssapi is not very precise about what the problem really is. All I can
do is post the logs.
Logging in from a (lenny) client that could log in to the same system
before the upgrade:
$ ssh -vvv somemachine
...
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Unspecified GSS failure. Minor code may provide more information
Generic error (see e-text)
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
...
Of course I also turned on debugging on the server:
...
Nov 25 13:43:46 someserver sshd[5661]: Set /proc/self/oom_adj to 0
Nov 25 13:43:46 someserver sshd[5661]: debug1: rexec start in 5 out 5 newsock 5
pipe 7 sock 8
Nov 25 13:43:46 someserver sshd[5661]: debug1: inetd sockets after dupping: 3, 3
Nov 25 13:43:46 someserver sshd[5661]: Connection from 10.0.82.2 port 36317
Nov 25 13:43:46 someserver sshd[5661]: debug1: Client protocol version 2.0;
client software version OpenSSH_5.1p1 Debian-5
Nov 25 13:43:46 someserver sshd[5661]: debug1: match: OpenSSH_5.1p1 Debian-5
pat OpenSSH*
Nov 25 13:43:46 someserver sshd[5661]: debug1: Enabling compatibility mode for
protocol 2.0
Nov 25 13:43:46 someserver sshd[5661]: debug1: Local version string
SSH-2.0-OpenSSH_5.5p1 Debian-5+b1
Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: initializing for "root"
Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: setting PAM_RHOST to
"reverse.dns.of.somemachine"
Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: setting PAM_TTY to "ssh"
Nov 25 13:43:46 someserver sshd[5661]: Failed none for root from 10.0.82.2 port
36317 ssh2
Nov 25 13:43:46 someserver sshd[5661]: debug1: Unspecified GSS failure. Minor
code may provide more information\nNo such file or directory\n
Nov 25 13:43:46 someserver sshd[5661]: debug1: Got no client credentials
...
The origin of the "Unspecified GSS failure." message is
src/lib/gssapi/mechglue/g_dsp_status.c which is a generic error handler. The
"Got no client credentials" message originates from sshd itself gss-serv.c in
ssh_gssapi_accept_ctx after finding that an error occured.
Any other information needed?
Do you have any ideas for debugging?
Helmut
-- System Information:
Debian Release: squeeze/sid
APT prefers squeeze-volatile
APT policy: (500, 'squeeze-volatile'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libgssapi-krb5-2 depends on:
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libk5crypto3 1.8.3+dfsg-2 MIT Kerberos runtime libraries - C
ii libkeyutils1 1.4-1 Linux Key Management Utilities (li
ii libkrb5-3 1.8.3+dfsg-2 MIT Kerberos runtime libraries
ii libkrb5support0 1.8.3+dfsg-2 MIT Kerberos runtime libraries - S
libgssapi-krb5-2 recommends no packages.
Versions of packages libgssapi-krb5-2 suggests:
pn krb5-doc <none> (no description available)
ii krb5-user 1.8.3+dfsg-2 Basic programs to authenticate usi
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.9+dfsg~beta2-1
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:
krb5-admin-server_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/krb5-admin-server_1.9+dfsg~beta2-1_amd64.deb
krb5-doc_1.9+dfsg~beta2-1_all.deb
to main/k/krb5/krb5-doc_1.9+dfsg~beta2-1_all.deb
krb5-kdc-ldap_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/krb5-kdc-ldap_1.9+dfsg~beta2-1_amd64.deb
krb5-kdc_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/krb5-kdc_1.9+dfsg~beta2-1_amd64.deb
krb5-multidev_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/krb5-multidev_1.9+dfsg~beta2-1_amd64.deb
krb5-pkinit_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/krb5-pkinit_1.9+dfsg~beta2-1_amd64.deb
krb5-user_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/krb5-user_1.9+dfsg~beta2-1_amd64.deb
krb5_1.9+dfsg~beta2-1.diff.gz
to main/k/krb5/krb5_1.9+dfsg~beta2-1.diff.gz
krb5_1.9+dfsg~beta2-1.dsc
to main/k/krb5/krb5_1.9+dfsg~beta2-1.dsc
krb5_1.9+dfsg~beta2.orig.tar.gz
to main/k/krb5/krb5_1.9+dfsg~beta2.orig.tar.gz
libgssapi-krb5-2_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libgssapi-krb5-2_1.9+dfsg~beta2-1_amd64.deb
libgssrpc4_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libgssrpc4_1.9+dfsg~beta2-1_amd64.deb
libk5crypto3_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libk5crypto3_1.9+dfsg~beta2-1_amd64.deb
libkadm5clnt-mit8_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libkadm5clnt-mit8_1.9+dfsg~beta2-1_amd64.deb
libkadm5srv-mit8_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libkadm5srv-mit8_1.9+dfsg~beta2-1_amd64.deb
libkdb5-5_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libkdb5-5_1.9+dfsg~beta2-1_amd64.deb
libkrb5-3_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libkrb5-3_1.9+dfsg~beta2-1_amd64.deb
libkrb5-dbg_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libkrb5-dbg_1.9+dfsg~beta2-1_amd64.deb
libkrb5-dev_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libkrb5-dev_1.9+dfsg~beta2-1_amd64.deb
libkrb53_1.9+dfsg~beta2-1_all.deb
to main/k/krb5/libkrb53_1.9+dfsg~beta2-1_all.deb
libkrb5support0_1.9+dfsg~beta2-1_amd64.deb
to main/k/krb5/libkrb5support0_1.9+dfsg~beta2-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 10 Dec 2010 14:30:35 -0500
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev
libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2
libgssrpc4 libkadm5srv-mit8 libkadm5clnt-mit8 libk5crypto3 libkdb5-5
libkrb5support0 libkrb53
Architecture: source all amd64
Version: 1.9+dfsg~beta2-1
Distribution: experimental
Urgency: low
Maintainer: Sam Hartman <[email protected]>
Changed-By: Sam Hartman <[email protected]>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit8 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit8 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-5 - MIT Kerberos runtime libraries - Kerberos database
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb53 - transitional package for MIT Kerberos libraries
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 604925
Changes:
krb5 (1.9+dfsg~beta2-1) experimental; urgency=low
.
* New upstream release
* Fix default location of kpropd.acl in kpropd.M (LP: #688464)
* Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925
* New exported API: krb5_tkt_creds_get
Checksums-Sha1:
955666d14b81b3e1cd9292005f8b0ec2a1ce4ba9 1603 krb5_1.9+dfsg~beta2-1.dsc
a4cfee6ac07eb220dbb67ef82d77e8cd38bae666 11581086
krb5_1.9+dfsg~beta2.orig.tar.gz
395f54ea26428a18a9c462b86283ea8731628e94 94269 krb5_1.9+dfsg~beta2-1.diff.gz
aaf366da72562b37e16631e2e77071ffdfb81052 2355774
krb5-doc_1.9+dfsg~beta2-1_all.deb
c524cebbbbf9dd521d9ec12651b92963d8882a85 1408144
libkrb53_1.9+dfsg~beta2-1_all.deb
02bd30cfb7e308f58a4a4c8c2b99233c0a5bcdb6 137380
krb5-user_1.9+dfsg~beta2-1_amd64.deb
54d8eac3609b8980cd13fcae20b85d4802481394 213810
krb5-kdc_1.9+dfsg~beta2-1_amd64.deb
940a50fb9649fa3f08432e7f10e7ae1143a5bc2f 116942
krb5-kdc-ldap_1.9+dfsg~beta2-1_amd64.deb
b82c1799db76ba7211d5deb1e3cf660c5469fe91 113200
krb5-admin-server_1.9+dfsg~beta2-1_amd64.deb
0ee80f4bf5a6993488f854d79e3d7f0aa50df230 113420
krb5-multidev_1.9+dfsg~beta2-1_amd64.deb
aa7f7f45a0194e876fcb457f340ec1aebd192df3 37014
libkrb5-dev_1.9+dfsg~beta2-1_amd64.deb
6c4ea10f17ccec87c1a13bd29720d808be4b6b52 1736358
libkrb5-dbg_1.9+dfsg~beta2-1_amd64.deb
b67e4cb092af66054a6a925964043eac585896d7 77548
krb5-pkinit_1.9+dfsg~beta2-1_amd64.deb
0cc4521ce0f502f476b60f1771f283994af27460 378174
libkrb5-3_1.9+dfsg~beta2-1_amd64.deb
01bea2188ae794fe003ff630d3d0269f7cdbbf7d 141072
libgssapi-krb5-2_1.9+dfsg~beta2-1_amd64.deb
7d832a0e3cd574b46c291bd7fd3275ac0132f91b 83902
libgssrpc4_1.9+dfsg~beta2-1_amd64.deb
ee240131058b3620fc907a30ea4c38802f2c847e 79620
libkadm5srv-mit8_1.9+dfsg~beta2-1_amd64.deb
ade4887a245c015ec06b0a6ce41237b8689c9841 63870
libkadm5clnt-mit8_1.9+dfsg~beta2-1_amd64.deb
87e512cb5ccc0aa528f95fc07f5a0409dcf65118 109916
libk5crypto3_1.9+dfsg~beta2-1_amd64.deb
900f893bd2bf91d1e96d9cfd7d0b3517ab9e7cb9 61776
libkdb5-5_1.9+dfsg~beta2-1_amd64.deb
d281ef8c449421a592d9d99d8c2857dd6bba28db 45508
libkrb5support0_1.9+dfsg~beta2-1_amd64.deb
Checksums-Sha256:
c387f55ba54bf4e737816d474bb86c880c5f561e9b962d31a31ee2de61014489 1603
krb5_1.9+dfsg~beta2-1.dsc
7fd773df98251a272090d22d08ed989ee2b131f7feef0805a67239547aa4db87 11581086
krb5_1.9+dfsg~beta2.orig.tar.gz
211f79f9c8b605a957132657523806c26d328bf490e5978f6baa19485e8b7f1a 94269
krb5_1.9+dfsg~beta2-1.diff.gz
82d43a10943d5d6bb84208cb35186e43db10761a4f370b92fdc96bda37774902 2355774
krb5-doc_1.9+dfsg~beta2-1_all.deb
82e67629c10e622690209e19db807e1e48e24621a3ac696c30302fdf3b8c4ed9 1408144
libkrb53_1.9+dfsg~beta2-1_all.deb
32809e61bb796a182fbd9a4465afe51d33b3f49cd3019c87f1b56b7107b2a276 137380
krb5-user_1.9+dfsg~beta2-1_amd64.deb
c6c256fb58a239b41771a983dc43eda526ba548ef9fa87d8fb497cc929174a35 213810
krb5-kdc_1.9+dfsg~beta2-1_amd64.deb
4f7523cddd24828d4bbe72b011b231c01132c01e283c5664c6d514cb2f4620bd 116942
krb5-kdc-ldap_1.9+dfsg~beta2-1_amd64.deb
e74eadebd4a24c19eb81115cba09631d4e057a6efc0bc10b6607da462843d841 113200
krb5-admin-server_1.9+dfsg~beta2-1_amd64.deb
dc069270723c354b051f4d735f8a3a26c6912f51f3ceb3c921208ed5d60aa294 113420
krb5-multidev_1.9+dfsg~beta2-1_amd64.deb
3d5ddc3ed75ba632b4b958af346a9f0099105a1e44723773bdad6e857846be1a 37014
libkrb5-dev_1.9+dfsg~beta2-1_amd64.deb
c3d1d727679f86967b2cfa01dc1ef5ea07de61238968583253f941f108782edf 1736358
libkrb5-dbg_1.9+dfsg~beta2-1_amd64.deb
bf3c7e88a5db61ac11fbff4aaaf159ba6492b88a710948f5bc9bcaa32678022b 77548
krb5-pkinit_1.9+dfsg~beta2-1_amd64.deb
56810e4dd2c71d31eb78b9946bf751186dd5f6b186bf406ee8b87567f2a7f384 378174
libkrb5-3_1.9+dfsg~beta2-1_amd64.deb
64c207ec34664370738f281c0a1394012bc0f92a9faa6f127658058f252767d2 141072
libgssapi-krb5-2_1.9+dfsg~beta2-1_amd64.deb
8453c41fc695391e203298a83477d91d5a53aebaa80a2598aaaa3d3d443755fa 83902
libgssrpc4_1.9+dfsg~beta2-1_amd64.deb
8c349857f555d43abe2b532aa611b6bb9effc6ccbf4b0e3a8ed5a4790a58adda 79620
libkadm5srv-mit8_1.9+dfsg~beta2-1_amd64.deb
e51aecb636aecce6fb6b240160aee63a70b12274eb2a0d11aba8922ac62e7b7b 63870
libkadm5clnt-mit8_1.9+dfsg~beta2-1_amd64.deb
b9abd589e62715e52f9f9c448dc11111eeb9445619b0c4f7a6c538ef3ccd407e 109916
libk5crypto3_1.9+dfsg~beta2-1_amd64.deb
e7cf75718f6ea9595477da05e1f751c6c0d2593f6b8564cbaf6391d3b3cacd21 61776
libkdb5-5_1.9+dfsg~beta2-1_amd64.deb
ce5d07f246ed977f1bc832abf38ad4d3b7adfef90342edffa2dea3a543173f9b 45508
libkrb5support0_1.9+dfsg~beta2-1_amd64.deb
Files:
9b52d9f040a869a7a0e3e4b47dd18076 1603 net standard krb5_1.9+dfsg~beta2-1.dsc
142991675879e7b89feb8d2c2ad87a70 11581086 net standard
krb5_1.9+dfsg~beta2.orig.tar.gz
7b23d0650b656e4a098dd1351596efe4 94269 net standard
krb5_1.9+dfsg~beta2-1.diff.gz
10ba7f36939a81ccc0f03c6f0370097b 2355774 doc optional
krb5-doc_1.9+dfsg~beta2-1_all.deb
584be4f00bcccfdef84bda16ba86c653 1408144 oldlibs extra
libkrb53_1.9+dfsg~beta2-1_all.deb
e06f64f008bff7545e112c9c7abd8070 137380 net optional
krb5-user_1.9+dfsg~beta2-1_amd64.deb
6241eb8a9ec1d0396ba644486a44d170 213810 net optional
krb5-kdc_1.9+dfsg~beta2-1_amd64.deb
a7684ccb16c188fee02ab48857a85c43 116942 net extra
krb5-kdc-ldap_1.9+dfsg~beta2-1_amd64.deb
92c08b3030225b61dad6887cb3f0838e 113200 net optional
krb5-admin-server_1.9+dfsg~beta2-1_amd64.deb
c5a0e6bda685829f256b7010cab46796 113420 libdevel optional
krb5-multidev_1.9+dfsg~beta2-1_amd64.deb
e2db61cd5982575b7e32043238b976bb 37014 libdevel extra
libkrb5-dev_1.9+dfsg~beta2-1_amd64.deb
940f1cb0e8804b123689c7296647c647 1736358 debug extra
libkrb5-dbg_1.9+dfsg~beta2-1_amd64.deb
790448004db70b68455935763dc803d9 77548 net extra
krb5-pkinit_1.9+dfsg~beta2-1_amd64.deb
566c2ef074da2a782748c9ebc28d6208 378174 libs standard
libkrb5-3_1.9+dfsg~beta2-1_amd64.deb
c68b93598f00a093268c30044b48bcd1 141072 libs standard
libgssapi-krb5-2_1.9+dfsg~beta2-1_amd64.deb
5aa99fc249e4b3d4a056d6ce8dd9c9eb 83902 libs standard
libgssrpc4_1.9+dfsg~beta2-1_amd64.deb
504275548ac4dc2735df8a67afb92d84 79620 libs standard
libkadm5srv-mit8_1.9+dfsg~beta2-1_amd64.deb
adec032a019fb52067620052f9c609dd 63870 libs standard
libkadm5clnt-mit8_1.9+dfsg~beta2-1_amd64.deb
a60dad0952da1448beee6fe03c4c9457 109916 libs standard
libk5crypto3_1.9+dfsg~beta2-1_amd64.deb
80a245604813659cde7d2022f1382af7 61776 libs standard
libkdb5-5_1.9+dfsg~beta2-1_amd64.deb
057e56e17bf270d60fb1c067e1ac4cd3 45508 libs standard
libkrb5support0_1.9+dfsg~beta2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0C0bwACgkQ/I12czyGJg9scACfQi9xLcSBULo0dVkWmwgo1yG+
okAAn04PUBkN33BUsCJl/1O07vU76Cid
=RLUz
-----END PGP SIGNATURE-----
--- End Message ---
