[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
Russ Allbery
rra at debian.org
Thu Apr 29 19:02:59 BST 2010
Jesper Krogh <jesper at krogh.cc> writes:
> Never the less it is a change from earlier versions of Ubuntu and a
> change that makes Ubuntu + Firefox work in a different way than MS
> Windows + MSIE (negoiating different tickets), thus breaking Single
> Signon in typical Kerberos enabled environments.. our is a corporate one
> with Active Directory as Kerbereos and both MS IIS and Ubuntu Apache +
> mod_auth_kerb on the serverside.
> Used to work.. lucid breaks it..
I'm confused why you're seeing a change, since in my experience it's been
this way for quite some time. Firefox used the final hostname, whereas IE
always used the URL name. When we deployed Negotiate-Auth with
mod_auth_kerb, we had to add both principals to the server keytab. Many
other people had the same issue, as discussed on the mod_auth_kerb mailing
list, which is why mod_auth_kerb added an option to use any principal in
its keytab. This all happened back in 2007 for us.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list