[Bug 985031] [NEW] Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()

Wed, 18 Apr 2012 09:16:01 -0700 

Public bug reported:

Known upstream bug, see:
https://bugzilla.redhat.com/show_bug.cgi?id=811518

Quoting from the upstream description:

"If krb5_canonicalize is not present or is True in sssd.conf, then sssd
asks krb5_get_init_creds_keytab() to canonicalize principals. This can
change the client principal. When writing out the credential cache, we
should use this changed principal, and not the original one.  Failure to
do this results in errors when LDAP tries to use the credential cache."

In our case, setting "krb5_canonicalize = false" in sssd.conf worked
around the issue, but according to `man 5 sssd-krb5` it should be false
by default:

"krb5_canonicalize (boolean)
           Specifies if the host and user principal should be canonicalized. 
This
           feature is available with MIT Kerberos >= 1.7

           Default: false"

** Affects: sssd (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  Known upstream bug, see:
  https://bugzilla.redhat.com/show_bug.cgi?id=811518
  
  Quoting from the upstream description:
  
  "If krb5_canonicalize is not present or is True in sssd.conf, then sssd
  asks krb5_get_init_creds_keytab() to canonicalize principals. This can
  change the client principal. When writing out the credential cache, we
  should use this changed principal, and not the original one.  Failure to
  do this results in errors when LDAP tries to use the credential cache."
  
  In our case, setting "krb5_canonicalize = false" in sssd.conf solved the
  issue, but according to `man 5 sssd-krb5` it should be false by default:
  
  "krb5_canonicalize (boolean)
-            Specifies if the host and user principal should be canonicalized. 
This feature is
-            available with MIT Kerberos >= 1.7
+            Specifies if the host and user principal should be canonicalized. 
This 
+            feature is available with MIT Kerberos >= 1.7
  
-            Default: false"
+            Default: false"

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/985031

Title:
  Invalid cache file created when canoning principals during
  krb5_get_init_creds_keytab()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/985031/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to