This bug was fixed in the package krb5 - 1.8.1+dfsg-2ubuntu0.1
---
krb5 (1.8.1+dfsg-2ubuntu0.1) lucid-proposed; urgency=low
* src/lib/gssapi/spnego/spnego_mech.c: Ignore duplicate token sent in
mechListMIC from Windows 2000 SPNEGO (LP: #551901)
-- Thierry CarrezTue, 01 Jun
** Tags added: verification-done
** Tags removed: verification-needed
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing l
Worked OK for me !
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubun
** Branch linked: lp:ubuntu/lucid-proposed/krb5
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.
Accepted krb5 into lucid-proposed, the package will build now and be
available in a few hours. Please test and give feedback here. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Thank you in advance!
** Tags added: verification-needed
--
lik
ACK from ubuntu-sru
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubu
Fix uploaded to lucid-proposed.
** Changed in: krb5 (Ubuntu Lucid)
Status: In Progress => Fix Committed
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
** Description changed:
Binary package hint: likewise-open
Package: likewise-open
Architecture: amd64
Version: 5.4.0.42111-1
uname: Linux 2.6.32-18-generic #27-Ubuntu SMP
I am unable to join an AD domain. This machine was upgraded from 9.04
to 9.10, after that update, I was ab
Thanks very much for your help, I'll push this to lucid-proposed for a
wider audience.
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubun
Thanks to Thierry Carrez, your krb5 release solved the problem for me.
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing
Thierry,
it seems to work well.
I have done the following :
-In a Lucid PC upgraded from Karmic having the "manual" patched krb5 installed
: leaved the domain, installed package version 1.8.1+dfsg-2 (which has the
problem with windows 2000 domains), verified it cannot join the domain,
installed
@Matt, Hernan:
I uploaded a fixed version to my PPA, please see:
https://launchpad.net/~ttx/+archive/ppa
Once it's built (should take a couple hours), could you install that
version and test that it fixes the issue without bringing in new issues
?
If you confirm that this version fixes it, I'll u
** Changed in: krb5 (Ubuntu Lucid)
Assignee: (unassigned) => Thierry Carrez (ttx)
** Changed in: krb5 (Ubuntu)
Milestone: lucid-updates => None
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you ar
** Branch linked: lp:ubuntu/krb5
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
http
This bug was fixed in the package krb5 - 1.8.1+dfsg-5
---
krb5 (1.8.1+dfsg-5) unstable; urgency=low
* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
(LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494
krb5 (1.8.1+dfsg-4) unstable; urg
Sam: Not really, thanks for asking :) Maverick will sync with your fixed
version, and I'll create a specific patched version for Lucid.
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubun
> "Thierry" == Thierry Carrez writes:
Thierry> @Sam: let me know if you feel comfortable applying that
Thierry> patch now. Once it's fixed in sid/maverick, I'll push a SRU
Thierry> for lucid.
Sure. I will attempt to get to it this weekend.
Anything you want me to do to make the
Correct. My understanding is that we've only observed the issue on
Windows 2000 DCs.
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubunt
@Sam: let me know if you feel comfortable applying that patch now. Once
it's fixed in sid/maverick, I'll push a SRU for lucid.
@Jerry: This is an issue specific to Windows 2000 DCs, right ?
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received
Patch has been committed upstream:
Subject: [krbdev.mit.edu #6726] SVN Commit
Apply patch from Arlene Berry to detect and ignore a duplicate
mechanism token sent in the mechListMIC field, such as sent by Windows
2000 Server.
http://src.mit.edu/fisheye/changelog/krb5/?cs=24075
Commit By: tlyu
Re
Filed upstream as - "SPNEGO doesn't interoperate with Windows 2000"
[krbdev.mit.edu #6726]
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
> "Gerald" == Gerald Carter writes:
Gerald> I think Sam is wanting to know if likewise has submitted the
Gerald> patch to upstream MIT krb5. If that is the case, I'll check
Gerald> on the state of things and update the bug report.
That is. Early on you mentioned you thought thi
Right, we are missing two pieces of information:
"Someone familiar with the MIT SPNEGO code needs to look at the patch
and confirm it actually ignores MIC tokens only when MIC tokens are
optional. In particular, we want to confirm that if the mechanism
supports integrity and a MIC token would be r
I think Sam is wanting to know if likewise has submitted the patch to
upstream MIT krb5. If that is the case, I'll check on the state of
things and update the bug report.
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notificat
Sorry Sam, but I don't fully understand how the patch become available in
ubuntu releases.
But I can confirm that last available package of krb5 in lucid repositories
(krb5_1.8.1+dfsg-2) still have the bug/problem and the link giving in comment
#6 correspond to and older version of krb5 (the lin
So, it's my understanding that we're still waiting for a confirmation
that this patch has been submitted upstream and for an upstream review
of the patch, right?
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification becaus
Now is working fine in upgraded and fresh install lucid PCs
In upgraded installation I have to rejoin the domain
(patch package following the steps in :
http://www.cyberciti.biz/faq/rebuilding-ubuntu-debian-linux-binary-package/ for
the package krb5_1.8.1+dfsg-2.dsc)
--
likewise-open fails to j
Matt, I have exactly the same errors, with a windows 2000 SP4 domain upgraded
to support windows 2003 domain controllers
(http://support.microsoft.com/kb/325379) (3 ubuntu PC upgrades from 9.10 to
10.04 and 1 PC installing 10.04 from scratch), but building the patched
libraries does not solve t
** Changed in: krb5 (Ubuntu Lucid)
Milestone: None => lucid-updates
** Changed in: krb5 (Ubuntu Lucid)
Assignee: Thierry Carrez (ttx) => (unassigned)
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because
** Tags added: patch
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ub
** Changed in: krb5 (Ubuntu Lucid)
Assignee: (unassigned) => Thierry Carrez (ttx)
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubun
Subscribing Jerry to get his opinion on impact.
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.
** Also affects: krb5 (Ubuntu Lucid)
Importance: Undecided
Status: Confirmed
** Changed in: krb5 (Ubuntu Lucid)
Importance: Undecided => Medium
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.launchpad.net/bugs/551901
You received this bug notification because yo
@Sam: Thank you very much for looking into this. We'll wait for your
green light before including that patch in all cases. The sooner the
better, but if that comes too late in Lucid preparation, we'll fix this
in a post-release StableReleaseUpdate.
@Jerry: Trying to assess the right bug importance
OK, here's where this stands.
We've been discussing on #krbdev, the upstream krb5 IRC channel.
We agree that ignoring a MIC token that is an exact copy of the response
token is security neutral and it looks like both upstream and I are
comfortable making a change to do that even though it seems to
As best I can tell, the behavior of the patch is explicitly forbidden by
RFC 4178 section 5; see II under clause B and C. However, I'll admit
that the behavior described in Appendix C does not seem consistent with
what I remember for Windows 2000... Perhaps that's only the Windows
behavior for kr
I don't see a upstream krb5 bug for this issue.
I would recommend against applying this patch until someone familiar
with the SPNEGO security model and the code has evaluated it.
Basically, certain versions of Windows produce bad SPNEGO tokens. It's
appropriate to ignore these in some situation
Moving to krb5 component for requesting inclusion of the spnego patch
** Package changed: likewise-open (Ubuntu) => krb5 (Ubuntu)
** Changed in: krb5 (Ubuntu)
Assignee: Gerald Carter (coffeedude.jerry) => (unassigned)
--
likewise-open fails to join Windows 2000 SP4 domain
https://bugs.laun
** Patch added: "Patch for krb5 snpego processing of duplicate tokens"
http://launchpadlibrarian.net/44173198/likewise-open.git-e83a8e9862ed5357eb362ca617d93d8d6d133311.patch
** Changed in: likewise-open (Ubuntu)
Status: Fix Committed => Confirmed
--
likewise-open fails to join Windo
I'll work on getting the krb5 patch pushed into the distro if possible.
I think the patch has already been submitted upstream to the MIT devs
but I'll double check.
** Changed in: likewise-open (Ubuntu)
Status: Incomplete => Fix Committed
--
likewise-open fails to join Windows 2000 SP4 do
Ok, everything is working now. I thought the connection refused error
might be coming from some sort of leftover cruft from all the failed
join attempts, so I followed your suggestions from Bug #543963 and was
able to join the domain without errors, I'm also able to login using AD
now, so everythi
Ok, I grabbed the krb5 1.8.1 sources and applied the patch you linked,
built kerberos, and switched to from the 1.8.alpha1 libs (from ubuntu
10.04) to the patched 1.8.1 libs. I restarted and attempted to join the
domain again using domainjoin-cli. This time I get no /var/log/syslog
errors from G
42 matches
Mail list logo
