** Description changed:
+ [Impact]
+ credential cache can get corrupted
+
+ [Test case]
+ use cached credentials, notice how the file can get corrupted over time
+
+ [Regression potential]
+ small, included upstream since 1.8.4
+
+ [Other info]
+
Known upstream bug, see:
https://bugzilla.redhat.com/show_bug.cgi?id=811518
Quoting from the upstream description:
"If krb5_canonicalize is not present or is True in sssd.conf, then sssd
asks krb5_get_init_creds_keytab() to canonicalize principals. This can
change the client principal. When writing out the credential cache, we
should use this changed principal, and not the original one. Failure to
do this results in errors when LDAP tries to use the credential cache."
In our case, setting "krb5_canonicalize = false" in sssd.conf worked
around the issue, but according to `man 5 sssd-krb5` it should be false
by default:
"krb5_canonicalize (boolean)
Specifies if the host and user principal should be canonicalized.
This
feature is available with MIT Kerberos >= 1.7
Default: false"
** Changed in: sssd (Ubuntu Precise)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/985031
Title:
Invalid cache file created when canoning principals during
krb5_get_init_creds_keytab()
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/985031/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
