[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

Russ Allbery rra at debian.org
Thu Apr 29 19:02:59 BST 2010


Jesper Krogh <jesper at krogh.cc> writes:

> Never the less it is a change from earlier versions of Ubuntu and a
> change that makes Ubuntu + Firefox work in a different way than MS
> Windows + MSIE (negoiating different tickets), thus breaking Single
> Signon in typical Kerberos enabled environments.. our is a corporate one
> with Active Directory as Kerbereos and both MS IIS and Ubuntu Apache +
> mod_auth_kerb on the serverside.

> Used to work.. lucid breaks it..

I'm confused why you're seeing a change, since in my experience it's been
this way for quite some time.  Firefox used the final hostname, whereas IE
always used the URL name.  When we deployed Negotiate-Auth with
mod_auth_kerb, we had to add both principals to the server keytab.  Many
other people had the same issue, as discussed on the mod_auth_kerb mailing
list, which is why mod_auth_kerb added an option to use any principal in
its keytab.  This all happened back in 2007 for us.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.



More information about the Ubuntu-server-bugs mailing list