[krbdev.mit.edu #7714] Kerberos 1.11 incompatibility with some Solaris 10 systems
Richard Basch via RT
rt-comment at krbdev.mit.edu
Tue Oct 8 09:29:17 EDT 2013
I can't find the original email chain/bug report, but based on some side
discussions at KIT 2013, I am sending an update.
Something in the wire protocol has changed which might affect certain legacy
Solaris clients. Principals which have preauth required might encounter an
issue on clients talking to Kerberos 1.11 KDC servers where the PAM stack
will crash, whereas with Kerberos 1.10 KDC there isn't a problem.
The problem only seems to manifest on Solaris 10 systems which are lacking a
Sun patch:
124235-02 or higher (SPARC Solaris 10)
124236-02 or higher (x86 Solaris 10)
I never actually was able to trace the cause of the issue, but this was
first noticed and fixed in 2006-2007 and the portion of the Sun patch which
is relevant is the GSS mech_krb5.so module.
Hopefully, this update will help others who might encounter the same issue
in the future, especially since 1.10 is likely nearing its end-of-support
date.
More information about the krb5-bugs
mailing list