Package: libkrb5-3 Version: 1.7dfsg~beta1-3 Severity: normal Negotiate-Auth with SPNEGO via a cross-realm trust relationship to an IIS server worked properly in 1.6.dfsg.4~beta1-13 but fails in 1.7dfsg~beta1-3 and later. (Unfortunately, it wasn't something that changed between beta1 and beta2.)
With a successful authentication with 1.6.dfsg.4~beta1-13, I see the following in my ticket cache after authentication: Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 05/14/09 17:35:01 05/15/09 17:34:57 krbtgt/[email protected] 05/14/09 17:35:06 05/15/09 17:34:57 krbtgt/[email protected] 05/14/09 17:35:55 05/15/09 17:34:57 krbtgt/[email protected] 05/14/09 17:36:44 05/15/09 17:34:57 HTTP/[email protected] With the unsuccessful authentication with 1.7dfsg~beta1-3 and later, I see: Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 05/14/09 17:36:46 05/15/09 17:36:44 krbtgt/[email protected] 05/14/09 17:36:51 05/15/09 17:36:44 krbtgt/[email protected] 05/14/09 17:37:41 05/15/09 17:36:44 krbtgt/[email protected] so the obtaining of the last hop of the ticket doesn't work, or Firefox somehow fails before that point. Indeed, it looks like the problem is below the GSSAPI layer and has something to do with the cross-realm trust. With 1.7beta2: wanderer:~> kvno HTTP/[email protected] kvno: Message stream modified while getting credentials for HTTP/[email protected] Note that I get this same error even if I request a ticket for a principal that doesn't exist in IT.WIN.STANFORD.EDU. Compare to 1.6.4beta1: windlord:~> kvno HTTP/[email protected] HTTP/[email protected]: kvno = 43 klist with encryption types: Ticket cache: FILE:/tmp/krb5cc_1000_EGNcc23095 Default principal: [email protected] Valid starting Expires Service principal 05/14/09 17:23:11 05/15/09 17:23:05 krbtgt/[email protected] Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, Triple DES cbc mode with HMAC/sha1 05/14/09 17:23:11 05/15/09 17:23:05 afs/[email protected] Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 05/14/09 17:42:41 05/15/09 17:23:05 krbtgt/[email protected] Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 05/14/09 17:43:30 05/15/09 17:23:05 krbtgt/[email protected] Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 05/14/09 17:43:37 05/15/09 17:23:05 HTTP/[email protected] Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libgssapi-krb5-2 depends on: ii libc6 2.9-4 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libk5crypto3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C ii libkeyutils1 1.2-10 Linux Key Management Utilities (li ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries ii libkrb5support0 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - S libgssapi-krb5-2 recommends no packages. Versions of packages libgssapi-krb5-2 suggests: ii krb5-doc 1.6.dfsg.4~beta1-13 Documentation for MIT Kerberos ii krb5-user 1.6.dfsg.4~beta1-13 Basic programs to authenticate usi -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
