Your message dated Wed, 20 May 2009 13:55:25 +0000 with message-id <e1m6mgt-0006us...@ries.debian.org> and subject line Bug#528729: fixed in krb5 1.7dfsg~beta2-4 has caused the Debian Bug report #528729, regarding RC4 interop with AD KDCs broken in MIT Kerberos 1.7 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 528729: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528729 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libkrb5-3 Version: 1.7dfsg~beta1-3 Severity: normal Negotiate-Auth with SPNEGO via a cross-realm trust relationship to an IIS server worked properly in 1.6.dfsg.4~beta1-13 but fails in 1.7dfsg~beta1-3 and later. (Unfortunately, it wasn't something that changed between beta1 and beta2.) With a successful authentication with 1.6.dfsg.4~beta1-13, I see the following in my ticket cache after authentication: Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: r...@stanford.edu Valid starting Expires Service principal 05/14/09 17:35:01 05/15/09 17:34:57 krbtgt/stanford....@stanford.edu 05/14/09 17:35:06 05/15/09 17:34:57 krbtgt/win.stanford....@stanford.edu 05/14/09 17:35:55 05/15/09 17:34:57 krbtgt/it.win.stanford....@win.stanford.edu 05/14/09 17:36:44 05/15/09 17:34:57 HTTP/infraappprod.stanford....@it.win.stanford.edu With the unsuccessful authentication with 1.7dfsg~beta1-3 and later, I see: Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: r...@stanford.edu Valid starting Expires Service principal 05/14/09 17:36:46 05/15/09 17:36:44 krbtgt/stanford....@stanford.edu 05/14/09 17:36:51 05/15/09 17:36:44 krbtgt/win.stanford....@stanford.edu 05/14/09 17:37:41 05/15/09 17:36:44 krbtgt/it.win.stanford....@win.stanford.edu so the obtaining of the last hop of the ticket doesn't work, or Firefox somehow fails before that point. Indeed, it looks like the problem is below the GSSAPI layer and has something to do with the cross-realm trust. With 1.7beta2: wanderer:~> kvno HTTP/infraappprod.stanford....@it.win.stanford.edu kvno: Message stream modified while getting credentials for HTTP/ifraappprod.stanford....@it.win.stanford.edu Note that I get this same error even if I request a ticket for a principal that doesn't exist in IT.WIN.STANFORD.EDU. Compare to 1.6.4beta1: windlord:~> kvno HTTP/infraappprod.stanford....@it.win.stanford.edu HTTP/infraappprod.stanford....@it.win.stanford.edu: kvno = 43 klist with encryption types: Ticket cache: FILE:/tmp/krb5cc_1000_EGNcc23095 Default principal: r...@stanford.edu Valid starting Expires Service principal 05/14/09 17:23:11 05/15/09 17:23:05 krbtgt/stanford....@stanford.edu Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, Triple DES cbc mode with HMAC/sha1 05/14/09 17:23:11 05/15/09 17:23:05 afs/ir.stanford....@stanford.edu Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 05/14/09 17:42:41 05/15/09 17:23:05 krbtgt/win.stanford....@stanford.edu Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 05/14/09 17:43:30 05/15/09 17:23:05 krbtgt/it.win.stanford....@win.stanford.edu Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 05/14/09 17:43:37 05/15/09 17:23:05 HTTP/infraappprod.stanford....@it.win.stanford.edu Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libgssapi-krb5-2 depends on: ii libc6 2.9-4 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libk5crypto3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C ii libkeyutils1 1.2-10 Linux Key Management Utilities (li ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries ii libkrb5support0 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - S libgssapi-krb5-2 recommends no packages. Versions of packages libgssapi-krb5-2 suggests: ii krb5-doc 1.6.dfsg.4~beta1-13 Documentation for MIT Kerberos ii krb5-user 1.6.dfsg.4~beta1-13 Basic programs to authenticate usi -- no debconf information
--- End Message ---
--- Begin Message ---Source: krb5 Source-Version: 1.7dfsg~beta2-4 We believe that the bug you reported is fixed in the latest version of krb5, which is due to be installed in the Debian FTP archive: krb5-admin-server_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-admin-server_1.7dfsg~beta2-4_amd64.deb krb5-clients_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-clients_1.7dfsg~beta2-4_amd64.deb krb5-doc_1.7dfsg~beta2-4_all.deb to pool/main/k/krb5/krb5-doc_1.7dfsg~beta2-4_all.deb krb5-ftpd_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-ftpd_1.7dfsg~beta2-4_amd64.deb krb5-kdc-ldap_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-kdc-ldap_1.7dfsg~beta2-4_amd64.deb krb5-kdc_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-kdc_1.7dfsg~beta2-4_amd64.deb krb5-pkinit_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-pkinit_1.7dfsg~beta2-4_amd64.deb krb5-rsh-server_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-rsh-server_1.7dfsg~beta2-4_amd64.deb krb5-telnetd_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-telnetd_1.7dfsg~beta2-4_amd64.deb krb5-user_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/krb5-user_1.7dfsg~beta2-4_amd64.deb krb5_1.7dfsg~beta2-4.diff.gz to pool/main/k/krb5/krb5_1.7dfsg~beta2-4.diff.gz krb5_1.7dfsg~beta2-4.dsc to pool/main/k/krb5/krb5_1.7dfsg~beta2-4.dsc libgssapi-krb5-2_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libgssapi-krb5-2_1.7dfsg~beta2-4_amd64.deb libgssrpc4_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libgssrpc4_1.7dfsg~beta2-4_amd64.deb libk5crypto3_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libk5crypto3_1.7dfsg~beta2-4_amd64.deb libkadm5clnt6_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libkadm5clnt6_1.7dfsg~beta2-4_amd64.deb libkadm5srv6_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libkadm5srv6_1.7dfsg~beta2-4_amd64.deb libkdb5-4_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libkdb5-4_1.7dfsg~beta2-4_amd64.deb libkrb5-3_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libkrb5-3_1.7dfsg~beta2-4_amd64.deb libkrb5-dbg_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libkrb5-dbg_1.7dfsg~beta2-4_amd64.deb libkrb5-dev_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libkrb5-dev_1.7dfsg~beta2-4_amd64.deb libkrb5support0_1.7dfsg~beta2-4_amd64.deb to pool/main/k/krb5/libkrb5support0_1.7dfsg~beta2-4_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 528...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sam Hartman <hartm...@debian.org> (supplier of updated krb5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 20 May 2009 08:57:53 -0400 Source: krb5 Binary: krb5-user krb5-clients krb5-rsh-server krb5-ftpd krb5-telnetd krb5-kdc krb5-kdc-ldap krb5-admin-server libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv6 libkadm5clnt6 libk5crypto3 libkdb5-4 libkrb5support0 Architecture: source all amd64 Version: 1.7dfsg~beta2-4 Distribution: unstable Urgency: low Maintainer: Sam Hartman <hartm...@debian.org> Changed-By: Sam Hartman <hartm...@debian.org> Description: krb5-admin-server - MIT Kerberos master server (kadmind) krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos krb5-doc - Documentation for MIT Kerberos krb5-ftpd - Secure FTP server supporting MIT Kerberos krb5-kdc - MIT Kerberos key server (KDC) krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin krb5-pkinit - PKINIT plugin for MIT Kerberos krb5-rsh-server - Secure replacements for rshd and rlogind using MIT Kerberos krb5-telnetd - Secure telnet server supporting MIT Kerberos krb5-user - Basic programs to authenticate using MIT Kerberos libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library libkadm5clnt6 - MIT Kerberos runtime libraries - Administration Clients libkadm5srv6 - MIT Kerberos runtime libraries - KDC and Admin Server libkdb5-4 - MIT Kerberos runtime libraries - Kerberos database libkrb5-3 - MIT Kerberos runtime libraries libkrb5-dbg - Debugging files for MIT Kerberos libkrb5-dev - Headers and development libraries for MIT Kerberos libkrb5support0 - MIT Kerberos runtime libraries - Support library Closes: 528729 528828 Changes: krb5 (1.7dfsg~beta2-4) unstable; urgency=low . * Upstream fixes to RT #6490, Closes: #528729 - Use MS usage 9 not 8 for tgs-rep encrypted in subkey - Do not use keyed checksum with RC4; WS2003 expects it to be encrypted in the subsession key, everyone else expects the session key. Note that a keyed checksum for RC4 would work against WS2008. * Patch from Marc Dequ?nes (Duck) for HURD portability, Closes: #528828 Checksums-Sha1: 5e30eaeb89b288ca8b214d89f26349376e62d89e 1618 krb5_1.7dfsg~beta2-4.dsc 43dd2972b5e7448a6c0b10d0c1061c50879125a3 97168 krb5_1.7dfsg~beta2-4.diff.gz 8815f7cc28ca501ac37247719ccf6fa12d49cc59 2168466 krb5-doc_1.7dfsg~beta2-4_all.deb 84fcfffb5c82a34993a66b60f603642457c8a521 140944 krb5-user_1.7dfsg~beta2-4_amd64.deb 1db3463dad588588cc76f37fb1cd98b81c55ff73 220770 krb5-clients_1.7dfsg~beta2-4_amd64.deb b52be0a52f419f934dcb3e15e310fa831d28f355 84488 krb5-rsh-server_1.7dfsg~beta2-4_amd64.deb d08714a985521b3da8201cf0d425126db2fd9ddd 68538 krb5-ftpd_1.7dfsg~beta2-4_amd64.deb 1999ebc5a40a0e14bbad281ec762716d182c1198 76094 krb5-telnetd_1.7dfsg~beta2-4_amd64.deb 7c542a086859876148090df5bda053c7442c58d1 204968 krb5-kdc_1.7dfsg~beta2-4_amd64.deb 5688825e0ff4ab92a4ac3bdf4b7325c1124e2514 109756 krb5-kdc-ldap_1.7dfsg~beta2-4_amd64.deb 859430df9e4409e0817230e426ffad99800ebfad 107220 krb5-admin-server_1.7dfsg~beta2-4_amd64.deb 80b5a08b4687d89f5ab88d8e50eefb10a2cb2872 100396 libkrb5-dev_1.7dfsg~beta2-4_amd64.deb 95a534de76f9eea5df160ac1460f4fe3650debeb 1532262 libkrb5-dbg_1.7dfsg~beta2-4_amd64.deb f5f2c526e07574b2e12684c4423737d55228c485 70810 krb5-pkinit_1.7dfsg~beta2-4_amd64.deb ff1003969dc0201315d8fdfc1cc909a8f29c10cb 358284 libkrb5-3_1.7dfsg~beta2-4_amd64.deb 4afc560351ff0166d07ac57bfe712dded7e396ad 114116 libgssapi-krb5-2_1.7dfsg~beta2-4_amd64.deb 45a3d5585c71d4d402ac3ec60ed21fd233486df4 79536 libgssrpc4_1.7dfsg~beta2-4_amd64.deb adf380b70fa399e622bd0818024ad9f66489242e 74262 libkadm5srv6_1.7dfsg~beta2-4_amd64.deb 9426e527498d5ea7ca600cf6a9e756d865da747d 60978 libkadm5clnt6_1.7dfsg~beta2-4_amd64.deb a879417bd738343fc9cf45099c45ee3dc3f567b4 106070 libk5crypto3_1.7dfsg~beta2-4_amd64.deb 72cb038dc706f624cf3bc32326f15df9161e9ee6 58822 libkdb5-4_1.7dfsg~beta2-4_amd64.deb 1946c6fb08e52a5980cb247ca6c5028e08e46803 41902 libkrb5support0_1.7dfsg~beta2-4_amd64.deb Checksums-Sha256: 8917d7426966b2888679317cb73d00a2b4e1bbb5ebd37dab52a3de6ab8e743c9 1618 krb5_1.7dfsg~beta2-4.dsc 63f477aca836f54d49d15bc9d4a249e49efe11964d32b3efe70a0889ff79d031 97168 krb5_1.7dfsg~beta2-4.diff.gz cc82f48707c7180d513be292f9c86a5e9f9967cf4638f3d1c8ed07b60281d614 2168466 krb5-doc_1.7dfsg~beta2-4_all.deb 372e0e75384de7cf8b5754e386b517f6673a457c48451449065fd6d5c51f51d6 140944 krb5-user_1.7dfsg~beta2-4_amd64.deb 198a97d1a9512b24231b7ed53fd82febfba1d82b181baed76c111bba808b6745 220770 krb5-clients_1.7dfsg~beta2-4_amd64.deb c2b2a91a20c098b7836a7b43523eb63039e1f1fdb47447651af368af983d8400 84488 krb5-rsh-server_1.7dfsg~beta2-4_amd64.deb b7ea5589f5ff7bdcfb0001763fd6d86b45546fb2c2163246f4c4ce8bf86c7e0e 68538 krb5-ftpd_1.7dfsg~beta2-4_amd64.deb 5f61b95c2564701ac9c58dd203965b8677b7a9c2f76a934fc460da3bb1ade225 76094 krb5-telnetd_1.7dfsg~beta2-4_amd64.deb df90947bc94b8e72a72c5a7a589423c165cbc467dab02a622f1b41338037b202 204968 krb5-kdc_1.7dfsg~beta2-4_amd64.deb 825f3d77f3168683a503d3844bdaa2c44e78efede4b693ceabd4b1759bb3a167 109756 krb5-kdc-ldap_1.7dfsg~beta2-4_amd64.deb 06a292a3c83092e4ebdc4cd70c6f3fe29927e94a4b67434fe8c00a8e632371b6 107220 krb5-admin-server_1.7dfsg~beta2-4_amd64.deb b3a7266ef706cae06c74b8a52730876b1ee76b0727b505f8fff8d62b30821e6b 100396 libkrb5-dev_1.7dfsg~beta2-4_amd64.deb 30468c6995cdc6084f97daeb9c927f561542228b76ca5440ed5675ab94675ace 1532262 libkrb5-dbg_1.7dfsg~beta2-4_amd64.deb 722602e935ba083451b80900ed97040274b1aa9ade37acd7f9d3add8cadc583a 70810 krb5-pkinit_1.7dfsg~beta2-4_amd64.deb c1496216acd2ffcb210d6ab53f0b29289dcb60a40a31ddb9b9885eef2e0a6c6f 358284 libkrb5-3_1.7dfsg~beta2-4_amd64.deb 4810a19bc978400098ce2e1e13d20f15d991aebe9a27e96105ce38578bb926bc 114116 libgssapi-krb5-2_1.7dfsg~beta2-4_amd64.deb c4c407df7bc15461f1af1aed1ce5ba6bf39e4f0cf188d1d6b92e8ff6774051dc 79536 libgssrpc4_1.7dfsg~beta2-4_amd64.deb d91af7b370bfcf1901d4df73ae827eaeba7b313ebe9809e0c45418a1efa0ca6a 74262 libkadm5srv6_1.7dfsg~beta2-4_amd64.deb 38d15d17dd95d12b24b0aff841e418d6039058877dd28908feb7d4b8dc585fe9 60978 libkadm5clnt6_1.7dfsg~beta2-4_amd64.deb 4b74ea000a5b053e57504c3b72583d231714bcafed5ebab373d9db4aecdf4e4a 106070 libk5crypto3_1.7dfsg~beta2-4_amd64.deb dbdb967b64a7350ab06f1e6154d563ddd9b4bb2f0b03297f43dc60cf8229df32 58822 libkdb5-4_1.7dfsg~beta2-4_amd64.deb 5d51653440754c8108546325015871dd9fd29ec847d2cb9f04e4942386ae421f 41902 libkrb5support0_1.7dfsg~beta2-4_amd64.deb Files: e17230fd55395989a007391ced2d9bc7 1618 net standard krb5_1.7dfsg~beta2-4.dsc 75847fe984b32799f19156d29cfd0281 97168 net standard krb5_1.7dfsg~beta2-4.diff.gz c0787b29315ed2f94624ec20f29698da 2168466 doc optional krb5-doc_1.7dfsg~beta2-4_all.deb ddd42175e9d10a1d286cd5256dfdfb66 140944 net optional krb5-user_1.7dfsg~beta2-4_amd64.deb c55210eacf0ea254438bb227ffa25282 220770 net optional krb5-clients_1.7dfsg~beta2-4_amd64.deb 9c4c25e98a952ddcb697c656ef996f01 84488 net optional krb5-rsh-server_1.7dfsg~beta2-4_amd64.deb 11485be34dc8d4f178feb38850dd35f0 68538 net extra krb5-ftpd_1.7dfsg~beta2-4_amd64.deb c344438059b4a4fd3edfa45ce0829d7b 76094 net extra krb5-telnetd_1.7dfsg~beta2-4_amd64.deb ac8c6b6b3e924387afaf6da4271c4159 204968 net optional krb5-kdc_1.7dfsg~beta2-4_amd64.deb 812da2d1986b59cfd890304efd540f9f 109756 net extra krb5-kdc-ldap_1.7dfsg~beta2-4_amd64.deb 67b22956c8bb71e7376eff4f13e47c7b 107220 net optional krb5-admin-server_1.7dfsg~beta2-4_amd64.deb 049eb90dcc5d9dbec9f61f4591e23825 100396 libdevel extra libkrb5-dev_1.7dfsg~beta2-4_amd64.deb f31a1644a7367500513820fd87a9ee54 1532262 debug extra libkrb5-dbg_1.7dfsg~beta2-4_amd64.deb c9bcc5f0e70fae1ef3a57faca0ed4499 70810 net extra krb5-pkinit_1.7dfsg~beta2-4_amd64.deb c1001308df34a11fd2edfc8125cae323 358284 libs standard libkrb5-3_1.7dfsg~beta2-4_amd64.deb 61191b08a6f62f4556050d6e2755232e 114116 libs standard libgssapi-krb5-2_1.7dfsg~beta2-4_amd64.deb 6deb6683aeae9f2aa35665483e2e9728 79536 libs standard libgssrpc4_1.7dfsg~beta2-4_amd64.deb 1f0757a3743b7b0e1770527e84a3b14d 74262 libs standard libkadm5srv6_1.7dfsg~beta2-4_amd64.deb 43cb6640f6aeb9ec572d938ed5f45c9a 60978 libs standard libkadm5clnt6_1.7dfsg~beta2-4_amd64.deb f4d8a32962365ec15366e1c8ffc84104 106070 libs standard libk5crypto3_1.7dfsg~beta2-4_amd64.deb 82471998a913971805ac2ac77e717c69 58822 libs standard libkdb5-4_1.7dfsg~beta2-4_amd64.deb 73058df349e20d6739a955bbcb72316d 41902 libs standard libkrb5support0_1.7dfsg~beta2-4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoUBfUACgkQ/I12czyGJg+RxACfcZW7zE8j8hD6AYEuR2eY67D+ J+AAnR3zcHOtkIfVzPrtNQm1gwk9ypJY =NT8g -----END PGP SIGNATURE-----
--- End Message ---
