Karl-Philipp Richter writes:
> According to http://web.mit.edu/kerberos/mail-lists.html it is requested
> to send bug reports to the krb5-bugs mailing list with the `krb5-send-
> pr` program. It should be added to one of the krb5-* ubuntu packages as
> not all bugs make sense to be reported to la
Reassigning to krb5, as:
Feb 8 15:38:09 vpn-gw-ausfall openvpn[9031]: pam_krb5(openvpn-
krb5:auth): (user hildeb) credential verification failed: KDC has no
support for encryption type
is an error message from the underlying Kerberos library that libpam-
krb5 can't do anything about. libpam-krb5
This should be harmless, just noisy, but will be fixed in the next
release. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in Ubuntu.
https://bugs.launchpad.net/bugs/1098294
Title:
Use of uninitialized valu
Oh, wow, great job with the test case. It wouldn't have occurred to me
to just do that. (And yes, you have to use the Git version because I've
been adding a ton of new tests compared to the latest full release.)
--
You received this bug notification because you are a member of Ubuntu
Server Tea
I have a test case, but I'm not sure you'll particularly enjoy it, since
it isn't in a neatly isolated form. But if you:
git clone git://git.eyrie.org/kerberos/pam-krb5.git
cd pam-krb5
./autogen
./configure
and then add the username and password of an account in a test Kerberos
r
Steve Langasek writes:
> Setting this back to 'triaged', which is the more-better bug state in
> LP.
Thanks. I tried to do that but it didn't let me (probably not enough
access bits).
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
** Summary changed:
- Can't change kerberos password, pam-krb5 try_first_pass also fails
+ Can't change kerberos password
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/715765
Title:
** Bug watch added: Debian Bug tracker #670457
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457
** Also affects: krb5 (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457
Importance: Unknown
Status: Unknown
--
You received this bug notification because you
Public bug reported:
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in
the tracking of preauth mechanisms such that, if an authentication fails
after preauth was requested, all subsequent preauth-required
authentications in the same Kerberos context will also fail.
This breaks
Actually, now that I look more at this, this may be an unrelated
problem. The problem I encountered was reported upstream as a password
change problem, but this may be a slightly different issue. I'll open
another bug about the failed second authentication problem.
--
You received this bug noti
This bug was introduced in MIT Kerberos 1.10. After a failing
authentication with preauth required in a particular Kerberos context,
all subsequent authentications in that context that require preauth will
fail. Upstream has fixed this with commit 25822.
This is a fairly serious issue, blocking
Ah, in fact, I see comment #20 mentioned above is from Steve.
Steve, when would you ever want to have an account type of Primary given
those semantics? Shouldn't Primary just be treated the same as
Additional for the account stack?
--
You received this bug notification because you are a member
This analysis looks right to me, and I think may run deeper than just
this one module. If every account module should be additional and not
primary, I think that points to an error in the data model or
interpretation of the data model, rather than in individual PAM
configurations. And viewing the
> Kerberos code
> [realms]
> MYGROUP.COM = {
> kdc = kerberos.mygroup.com.:88
I'm not sure if this is your problem, but the trailing period here looks
suspicious. Try removing the period just before the colon.
--
Russ Allbery (r...@debian.org) <http://www.eyri
tc/hosts would
be sufficient without changing /etc/hostname. Could that be the
difference?
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubunt
er is the unqualified "kerberos", so kprop
attempts to get initial tickets for host/kerbe...@example.net, which
fails.
Changing the system hostname of the master to kerberos.example.net will
probably fix this problem.
kprop should really gain an additional command-line option to specify
n't the greatest format for a full-blown reference manual; they don't
have very much useful structure.)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
src/lib/crypto/krb/etypes.c
They're listed in the krb5-admin info pages included in krb5-doc under
Configuration Files.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
You received this bug notification because you are a member of Ubuntu
Server Team, w
The bug is trivially reproducible given the instructions given by the
reporter. I don't see any need for them to run apport-collect to gather
more data.
** Changed in: krb5 (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
S
til after it's backgrounded,
you lose nothing by adding some pauses and repeated attempts to contact
the LDAP server.
Ideally, they should both be robust against the other not being up yet.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
You received this
frastructure
on single machines, in which case you may have an LDAP replica and a KDC
on the same host. The LDAP replica then needs to do a GSSAPI
authentication to the master for replication, which requires access to the
KDC.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/
data in LDAP.
Unfortunately, both init script orderings break different things for
different people. What really needs to happen is that one or the other
(or preferrably both) services need to be robust against the other service
not yet being initialized.
--
Russ Allbery (r...@debian.org)
This looks to me more like something that's seriously wrong with your
system rather than a problem with the package:
Setting up libkadm5clnt6 (1.7dfsg~beta3-1ubuntu0.6) ...
dpkg (subprocess): unable to execute installed post-installation script:
Exec format error
The postinst script for
nsistent is if you have a web
service that uses DNS-based load-balancing. That's where we ran into that
issue. The public name is a CNAME that points to the least-loaded host
(which is dynamically discovered by the DNS server).
--
Russ Allbery (r...@debian.org) <http:
n to use any principal in
its keytab. This all happened back in 2007 for us.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You receiv
g something like that to Heimdal, since it would be rather
convenient at times.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notificati
r who wants to use the automated configuration tool to create
something to start from and then customize for the site.
We can certainly try to make it work more smoothly for you, but it does
feel like you're creating extra work for yourself in a few places.
--
Russ Allbery (r...@debian.org)
e. (I don't think of minimum_uid as one,
but things like renewable lifetime or forwardable tickets are more.)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/b
age defaults
> anyway.
Right -- if you're already distributing a krb5.conf with this setting,
surely the same mechanism could be used to override the PAM configuration
as well.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
Why is /usr/share/pam-confi
ly what they did, so far as I know. The base PAM
packages shipped the default files, and if the local sysadmin added any
additional modules, those files became modified conffiles and weren't
further changed by package installations.
--
Russ Allbery (r...@debian.org) <http://ww
wherein one could authenticate as a Kerberos principal named
daemon, etc., and log on to a system account.
Fixing Debian Bug#330882 (and in general not creating real shells for
system users) would remove a lot of my concern.
--
Russ Allbery (r...@debian.org) <http://www.eyrie
her ones. One has
to both have a mix of Kerberos-authenticated and non-Kerberos users,
distinguish by UID, and mind the silent Kerberos authentication failure
when handling the UNIX login.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
Why is /usr/share/pa
e configuration
files, but if the user is using the defaults, I believe changes to the
defaults are just automatically applied (although Steve would know better
than I). And krb5.conf normally isn't updated once written and I don't
think it could be updated with this particular type of ch
ion. This is particularly true in Debian where those accounts
have valid shells by default.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received
moment, therefore, I think it's unlikely there will be any changes
for lucid if they're waiting on me to initiate the work.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://
wd: Authentication information cannot be recovered
> passwd: password unchanged
> The problem is in passing "use_authtok" to pam_krb5. Comparatively,
> try_first_pass/use_first_pass/nothing at least allows the "Current
> Kerberos password:" prompt to come u
ay provide more information - (minor) Program
> lacks support for encryption type
> Switching back to 1.7 fixes this Problem.
Sounds like NFS v4 doesn't support stronger encryption types than DES.
You'll need to add:
allow_weak_crypto = true
to the [libdefaults] section of
The best theory that I have about this bug is that it's related to some
sort of failure in the NSS lookups for the current user, resulting in
the ticket cache permissions not being changed, but I can't entirely
reconcile this with the debugging messages you're seeing.
I think progress on this bug
t, and that doesn't match the
behavior I'm seeing elsewhere.
For whatever it's worth, this appears to be either specific to the LDAP
NSS module or to Ubuntu; su - $USER works fine with pam-krb5 in Debian on
a system that doesn't use any special NSS modules.
--
Russ Allbery (r.
those files all mode 600?
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
segfault
https://bugs.launchpad.net/bugs/476069
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
--
Ubuntu-server-b
file with a name like
/tmp/krb5cc_1000_DBzGt12076 representing the user's ticket cache.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
segfault
https://bugs.launchpad.net/bugs/476069
You received this bug notification because you are a member of Ubunt
ule, since that last line is the final line
logged by the PAM module before returning to the process.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
segfault
https://bugs.launchpad.net/bugs/476069
You received this bug notification because you are a memb
tall and register with doc-base
krb5-doc no longer has a postinst to call install-docs because doc-base
now uses triggers to handle that. This is probably just that Ubuntu's
Lintian is a bit out of date.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
causes pam-krb5 to hang for long
periods, login can time out and leave you in a situation where you can't
log in as root. Maybe it would make sense to leave minimum_uid for
/etc/krb5.conf but set ignore_root in the profile to eliminate the worst
of the problem of not having minimum
is is an
inherent security flaw in how rpc.gssd works, which is probably not
fixable as long as it scans /tmp for ticket caches and uses whatever it
happens to find.
If autofs happens later, after the PAM authentication has successfully
completed, this temporary ticket cache of course no longer exi
Yeah, that sounds like a bug in the NFS userspace portions to me.
The way that I understand this is supposed to work is that the NFS
Kerberos support is divided into two components: a userspace daemon that
finds the user's ticket cache, grabs credentials where necessary, and
loads them into the ke
I'm not sure what package this is a problem with, but I can say with
some certainty that it isn't kerberos-configs. This package only
provides the krb5.conf configuration to find the KDCs and do other
library initialization.
This sounds like a bug in the NFS v4 userspace processes, if I
understan
os realm?
I suspect this is the same as #296719, which was fixed in 1.22.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
suarez
https://bugs.launchpad.net/bugs/355151
You received this bug notification because you are a member of Ubuntu
Server Team, whic
but
probably at the dpkg layer rather than at the level of the krb5 package.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
package libkrb5-dev 1.6.dfsg.4~beta1-3 failed to install/upgrade: failed to
delete `/usr/lib/libkrb5support.so.dpkg-tmp': Rea
1.22 has been synced to jaunty, so following the process for proposing
an intrepid update:
This bug causes users who do not have a valid local hostname to fail to
install krb5-config. krb5-config is a dependency of many other packages
and recommendation for all Kerberos software packages. The fi
;t know how bad it will
be. (kpasswd is likely to be the hardest problem, since it's UDP, but you
may not care about it.)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
kadmind will not listen on IPv6 ports
https://bugs.launchpad.net/bugs/309339
You recei
rather than
> sockaddr_in6, used to bind to the kerberos-adm port, and the code that
> uses it is:
I believe that's correct and upstream does not (yet, at least) support the
kadmin protocol over IPv6.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
-
This is the intended behavior of Kerberos. So far as I know, it has
always worked this way. I have never seen logins succeed if you have an
empty .k5login file. I suspect something else was going on when you
thought this used to work (such as having the .k5login file not be
readable for some rea
Well, the root of your problem was that debconf exploded for some
reason, but the error then reported in the *.config script was fixed
some time back in Debian. I'm afraid I don't remember exactly when, but
it was a quoting issue in the *.config script.
--
Kerberos Install - unary operator expec
The package is behaving as intended from my perspective. I don't think
it's sane to automatically create a new realm on package installation.
You may want to do something else, like initialize from an existing
realm or create a realm that doesn't match the local realm for testing.
In fact, given t
I'm not sure when it changed, but the current code matches the
documentation. noaddresses is the correct option, and the default is
true.
--
Option no-addresses spelled wrong in "man krb.conf"
(/usr/share/man/man5/krb5.conf.5.gz)
https://bugs.launchpad.net/bugs/72599
You received this bug notif
This is fixed in the 1.6.dfsg.3-1 Debian release:
* If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm
so that the kdc.conf will at least be syntactically valid (but will
still require editing). (Closes: #474741)
--
Improper format of Kerberos configuration file
http
57 matches
Mail list logo
