Hello Joshua, or anyone else affected, Accepted krb5 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/krb5/1.13.2+dfsg- 5ubuntu1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Description changed: + [Impact] MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer needs to implement specifically for the NTLMSSP mechanism. This is required for compatibility with Windows services. Upstream commit: https://github.com/krb5/krb5/commit/cb96ca52a3354e5a0ea52e12495ff375de54f9b7 We've run into this issue with Linux to Windows negotiation with encrypted http using GSSAPI. + + [Test Case] + + create a file with some credentials: + + $ echo F23:guest:guest > ~/ntlmcreds.txt + $ export NTLM_USER_FILE=~/ntlmcreds.txt + $ python + import gssapi + + spnego = gssapi.raw.oids.OID.from_int_seq('1.3.6.1.5.5.2') + c = gssapi.creds.Credentials(mechs=[spnego], usage='initiate') + tname = gssapi.raw.names.import_name("F23/server", name_type=gssapi.raw.types.NameType.hostbased_service) + ac = gssapi.creds.Credentials(mechs=[spnego], usage='accept') + + seci = gssapi.SecurityContext(creds=c, name=tname, mech=spnego, usage='initiate') + seca = gssapi.SecurityContext(creds=ac, usage='accept') + it = seci.step(token=None) + ot = seca.step(token=it) + it = seci.step(token=ot) + ot = seca.step(token=it) + it = seci.step(token=ot) + + e = seci.wrap("Secrets", True) + o = seca.unwrap(e.message) + + o.message + 'Secrets' ** Changed in: krb5 (Ubuntu Xenial) Status: Incomplete => Fix Committed ** Tags added: verification-needed ** Changed in: krb5 (Ubuntu Trusty) Status: Incomplete => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1643708 Title: Add SPNEGO special case for NTLMSSP+MechListMIC Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Trusty: Fix Committed Status in krb5 source package in Xenial: Fix Committed Status in krb5 source package in Yakkety: Fix Committed Bug description: [Impact] MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer needs to implement specifically for the NTLMSSP mechanism. This is required for compatibility with Windows services. Upstream commit: https://github.com/krb5/krb5/commit/cb96ca52a3354e5a0ea52e12495ff375de54f9b7 We've run into this issue with Linux to Windows negotiation with encrypted http using GSSAPI. [Test Case] create a file with some credentials: $ echo F23:guest:guest > ~/ntlmcreds.txt $ export NTLM_USER_FILE=~/ntlmcreds.txt $ python import gssapi spnego = gssapi.raw.oids.OID.from_int_seq('1.3.6.1.5.5.2') c = gssapi.creds.Credentials(mechs=[spnego], usage='initiate') tname = gssapi.raw.names.import_name("F23/server", name_type=gssapi.raw.types.NameType.hostbased_service) ac = gssapi.creds.Credentials(mechs=[spnego], usage='accept') seci = gssapi.SecurityContext(creds=c, name=tname, mech=spnego, usage='initiate') seca = gssapi.SecurityContext(creds=ac, usage='accept') it = seci.step(token=None) ot = seca.step(token=it) it = seci.step(token=ot) ot = seca.step(token=it) it = seci.step(token=ot) e = seci.wrap("Secrets", True) o = seca.unwrap(e.message) o.message 'Secrets' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1643708/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
