Package: libgssapi-krb5-2 Version: 1.6.dfsg.4~beta1-13 Severity: important On my system, resolv.conf looks like this: domain foo.net search foo.net foo.lan nameserver 192.168.1.1
Now, my hostname is bar.foo.net (as hostname --fqdn spits out properly). I tried to kerberize sshd and got some weird effect: Only when I removed foo.lan from the search domains, it worked. This is reproducable with a little kerberos server/client program I found at apple: http://developer.apple.com/SampleCode/KerberosGSS/KerberosGSS.zip (Start with ./gssserver -s foo to make it call krb5_gss_acquire_cred.) strace'ing revealed that libgssapi-krb5 is first resolving bar.foo.net, then bar.foo.lan, then reverse(bar.foo.lan) and then takes this as hostname for the realm. To give a bit of background info why this setup is necessary: bar.foo.net is a public domain with a public DNS, containing exactly one AAAA record which is updated to whereever the computer is at the moment (notebook). bar.foo.lan is an internal domain at an internal DNS, containing a A record and an AAAA record. This DNS is internal because most part of it is behind a NAT and thus un- interesting for the rest of the world. Additionally, it needs to be updated by other people in-house which should not get access to the public DNS infrastructure. Regardless of the sense or nonsense of this setup, resolving should stop at the first match, that is, bar.foo.net with its AAAA record. In sshd, the problem can be worked around by using GSSAPIStrictAcceptorCheck no. I have not yet tested other programs but I think they might not all have such a workaround and might break, thus I filed this bug with severity: important. Unfortunately I wasn’t able to find the code which does the resolving itself or I would have sent a patch. Please enlighten me. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.29.1-midna-2 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libgssapi-krb5-2 depends on: ii libc6 2.9-12 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libk5crypto3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C ii libkeyutils1 1.2-10 Linux Key Management Utilities (li ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries ii libkrb5support0 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - S libgssapi-krb5-2 recommends no packages. Versions of packages libgssapi-krb5-2 suggests: ii krb5-doc 1.6.dfsg.4~beta1-13 Documentation for MIT Kerberos pn krb5-user <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
