[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

William 571572 at bugs.launchpad.net
Wed Feb 27 09:41:16 UTC 2013 

Quantal
requesting sharepointsite.testdomain with firefox with the following option set in about:config
network.negotiate-auth.trusted-uris "https://, http://"
klist
====================================================================================================Default principal: testuser at EXAMPLE.COM

Valid starting    Expires           Service principal
27/02/2013 08:35  27/02/2013 18:35  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        renew until 28/02/2013 08:35
====================================================================================================

option rdns=false
klist
====================================================================================================
Default principal: testuser at EXAMPLE.COM

Valid starting    Expires           Service principal
27/02/2013 08:35  27/02/2013 18:35  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        renew until 28/02/2013 08:35
27/02/2013 08:37  27/02/2013 18:35  HTTP/searchsite.testdomain@
        renew until 28/02/2013 08:35
27/02/2013 08:37  27/02/2013 18:35  HTTP/searchsite.testdomain at EXAMPLE.COM
        renew until 28/02/2013 08:35
====================================================================================================
This results in a request for a ticket for the wrong name and no sso.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Rebuilding kerberos for quantal
apt-get build-dep libkrb5-3
apt-get source libkrb5-3
edit src/lib/krb5/os/sn2princ.c
            //hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
            hints.ai_flags = AI_CANONNAME;

rebuild:
fakeroot debian/rules binary
dpkg -i ../libkrb5-3.........deb

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
retest Quantal
option rdns not set
requesting sharepointsite.testdomain with firefox with the following option set in about:config
network.negotiate-auth.trusted-uris "https://, http://"
klist
====================================================================================================
Default principal: testuser at EXAMPLE.COM

Valid starting    Expires           Service principal
27/02/2013 08:53  27/02/2013 18:53  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        renew until 28/02/2013 08:53
27/02/2013 08:54  27/02/2013 18:53  HTTP/searchsite.testdomain@
        renew until 28/02/2013 08:53
27/02/2013 08:54  27/02/2013 18:53  HTTP/searchsite.testdomain at EXAMPLE.COM
        renew until 28/02/2013 08:53

====================================================================================================

option rdns=false
klist
====================================================================================================
Default principal: testuser at EXAMPLE.COM

Valid starting    Expires           Service principal
27/02/2013 08:59  27/02/2013 18:59  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        renew until 28/02/2013 08:59
27/02/2013 09:00  27/02/2013 18:59  HTTP/sharepointsite.testdomain@
        renew until 28/02/2013 08:59
27/02/2013 09:00  27/02/2013 18:59  HTTP/sharepointsite.testdomain at EXAMPLE.COM
        renew until 28/02/2013 08:59
====================================================================================================

Now the setting rdns=false causes sso to work.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/571572

Title:
  krb5 prefers the reverse pointer no matter what for locating service
  tickets.

Status in “krb5” package in Ubuntu:
  Confirmed

Bug description:
  I'm trying to upgrade workstations to lucid an fails to access our
  kerberos enabled websites. It reveals that the krb5 implementation in
  lucid now tries to resolve the "reverse dns" and aquire a tikket for
  <service>/<reverse dns> instead of <service>/<what the user typed in
  the first place>.

  The latter behavior is what the MS environment does and is what Ubuntu
  has done (i think) until Lucid. A diff of the sourcecode from hardy
  revealse that we now hint the getaddrinfo with AI_CANONNAME which it
  didnt before.

  Applying below patch enables the old behaviour.

  --- krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c.orig	2010-04-29 09:04:11.401567914 +0200
  +++ krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c	2010-04-29 09:04:21.762191834 +0200
  @@ -112,7 +112,7 @@
   
               memset(&hints, 0, sizeof(hints));
               hints.ai_family = AF_INET;
  -            hints.ai_flags = AI_CANONNAME;
  +//            hints.ai_flags = AI_CANONNAME;
           try_getaddrinfo_again:
               err = getaddrinfo(hostname, 0, &hints, &ai);
               if (err) {

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572/+subscriptions

More information about the foundations-bugs mailing list