ksu problem with "Version: 1.12+dfsg-2ubuntu5.1"

Giuseppe Mazza g.mazza at imperial.ac.uk
Wed Feb 18 05:57:50 EST 2015


On 17/02/15 22:51, Benjamin Kaduk wrote:
> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>
>> On 17/02/15 17:36, Benjamin Kaduk wrote:
>>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>>
>>
>> client% head -20 /etc/krb5.conf
>> [appdefaults]
>> # [dwm] necessary for DOC.IC.AC.UK
>> 	allow_weak_crypto=true
>>
>> [libdefaults]
>> 	default_realm = DOC.IC.AC.UK
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>> 	krb4_config = /etc/krb.conf
>> 	krb4_realms = /etc/krb.realms
>> 	kdc_timesync = 1
>> 	ccache_type = 4
>> 	forwardable = true
>> 	proxiable = true
>>
>> # [dwm] necessary for DOC.IC.AC.UK
>> 	allow_weak_crypto=true
>>
>> # The following encryption type specification will be used by MIT Kerberos
>> # if uncommented.  In general, the defaults in the MIT Kerberos code are
>
> Are any of the encryption type specifications in the following lines of
> the file uncommented?
>
> I don't think we've heard any other reports of this sort of issue with
> ksu, and I don't think that its code does anything special that would fail
> to respect allow_weak_crypto, so I am rather puzzled at the behavior you
> are seeing.
>
> Also, you say you are upgrading to Ubuntu 14.04 with krb5
> 1.12+dfsg-2ubuntu5.1, but what version were you upgrading from?  The krb5
> 1.10+dfsg~beta1-2ubuntu0.6 in Ubuntu 12.04?
>
>
> -Ben
>

Here is my /etc/krb5.conf
(I have double checked that there is no line with
the character '#' in the middle of a line):

---------------------------------------------------------------
client% grep -v '#' /etc/krb5.conf
[appdefaults]
	allow_weak_crypto=true

[libdefaults]
	default_realm = DOC.IC.AC.UK

	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

	allow_weak_crypto=true

	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
	DOC.IC.AC.UK = {
		default_domain = doc.ic.ac.uk
		kdc = kerberos.doc.ic.ac.uk
		kdc = kerberos1.doc.ic.ac.uk
		kdc = kerberos2.doc.ic.ac.uk
		admin_server = kerberos.doc.ic.ac.uk
                 auth_to_local = RULE:[1:$1]
                 auth_to_local = DEFAULT
	}

[domain_realm]
	.doc.ic.ac.uk = DOC.IC.AC.UK
	doc.ic.ac.uk = DOC.IC.AC.UK
	.ic.ac.uk = IC.AC.UK
	ic.ac.uk = IC.AC.UK

[login]
	krb4_convert = true
	krb4_get_tickets = false

[pam]
	forwardable = true

[logging]
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmin.log

---------------------------------------------------------------
My previous version of the package is:

root at slave1:~# aptitude show krb5-admin-server | grep Version
Version: 1.12+dfsg-2ubuntu5
root at slave1:~# aptitude show krb5-kdc | grep Version
Version: 1.12+dfsg-2ubuntu5
root at slave1:~# aptitude show libkrb5-3 | grep Version
Version: 1.12+dfsg-2ubuntu5
root at slave1:~# aptitude show krb5-user | grep Version
Version: 1.12+dfsg-2ubuntu5

where slave1 is a kerberos server that I have not upgraded yet
---------


I have downloaded this version from
https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5


root at slave:~# uname -a
Linux slave.doc.ic.ac.uk 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 
21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux


Cheers,
Giuseppe





More information about the Kerberos mailing list