[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
** Changed in: heimdal (Debian) Status: Unknown => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
Ubuntu 23.10 (Mantic Minotaur) has reached end of life, so this bug will not be fixed for that specific release. ** Changed in: heimdal (Ubuntu Mantic) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
The latest in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970 is that the order in which the files from the .d directory are included by heimdal is not guaranteed, because the code uses readdir(). MIT kerberos applies sorting to the list, and then processes the files in that order. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
Ubuntu 23.10 (Mantic Minotaur) has reached end of life, so this bug will not be fixed for that specific release. ** Changed in: kerberos-configs (Ubuntu Mantic) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
The discussion is continuing in the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
The heimdal changes are merged in debian now, just not yet in a package upload. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
That PR was accepted and merged. For some reason, in salsa CI the new test failed, and I proposed https://salsa.debian.org/debian/heimdal/-/merge_requests/4 to fix that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
PR proposed in salsa for debian heimdal: https://salsa.debian.org/debian/heimdal/-/merge_requests/3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
I have a heimdal branch with the upstream patch for includedir support, plus a new autopkgtest that exercises it and verifies the inclusion is happening. Code is here: https://code.launchpad.net/~ahasenack/ubuntu/+source/heimdal/+git/heimdal/+ref/oracular- heimdal-add-include-support-2037321 I'll tidy it up a bit and proposed to debian. I found a couple of extra commits in the heimdal github repository that fixup some things in the includedir support that I want to analyze and possibly include. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
** Bug watch added: Debian Bug tracker #1074775 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074775 ** Also affects: heimdal (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074775 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
** Changed in: kerberos-configs (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
The krb5.conf configuration file is produced by src:kerberos-configs and shared between heimdal kerberos and MIT kerberos. Of those, only MIT kerberos has includedir support in a released version. heimdal has it in their git tree[1], but not yet in a release. Therefore, in order to fully fix this bug, we first need a heimdal package with support for includedir, either by backporting that patch, or waiting for a new upstream heimdal release with that change in it. That commit is from 2017, so 7 years ago, and hasn't landed in a release yet. The last heimdal upstream release is 7.8, from November 2022. While the git repository is quite active, I can't tell when a new release with this fix will be made. I added a comment to the debian bug[2] about the availability of the patch[1]. It applies, and since then I have built it in a ppa[3] and quickly tested the feature. It seems to work. It would be best if debian agreed on applying it, then we could all be on the same page. 1. https://github.com/heimdal/heimdal/commit/fe43be85587f834266623adb0ecf2793d212a7ca 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970 3. https://launchpad.net/~ahasenack/+archive/ubuntu/heimdal-include-support -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
** Also affects: heimdal (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Debian Bug tracker #858970 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970 ** Also affects: kerberos-configs (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
Confirmed the issue on jammy, and the fix, by joining a machine to a windows AD domain, and attempting to login via ssh GSSAPIAuthentication as a domain user. It only works if I either put the principal name in ~/.k5login, or include the sssd localauth plugin via the include files as discussed in this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
> Without this passwordless login using GSSAPI via SSH is not possible to a Ubuntu 22.04 machine. This is not entirely true. We have tests that attempt this login and they pass just fine. There is some other detail that is missing. I'll read up in more detail on what the sssd_krb5_localauth_plugin.so plugin does. The upstream bug also had in one of the comments confirmation that a ~/.k5login file with the name of the principal would allow login to work, which tells me some sort of mapping between the username of the ssh command (which can have @DOMAIN components) and the local username is missing, and that plugin might be responsible for it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
There are two components here: a) sssd to ship /etc/krb5.conf.d/enable_sssd_conf_dir This was done in 2.7.0-1, and is present in ubuntu mantic and later b) krb5.conf to includedir /etc/krb5.conf.d This should be done in src:kerberos-configs, and is not done yet anywhere ** Also affects: sssd (Ubuntu) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Oracular) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Also affects: sssd (Ubuntu Oracular) Importance: Undecided Status: New ** Changed in: sssd (Ubuntu Oracular) Status: New => Fix Released ** Changed in: sssd (Ubuntu Noble) Status: New => Fix Released ** Changed in: sssd (Ubuntu Mantic) Status: New => Fix Released ** Changed in: sssd (Ubuntu Jammy) Status: New => In Progress ** Changed in: sssd (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
** Changed in: kerberos-configs (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: kerberos-configs (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
I discussed this with the team; ahasenack suggests that we should add that include line to src:kerberos-configs, which is the package that provides krb5.conf. ** Package changed: sssd (Ubuntu) => kerberos-configs (Ubuntu) ** Changed in: kerberos-configs (Ubuntu) Status: New => Triaged ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
Can confirm too. It was hard to find the solution, so I hope this will avoid people banging head on the table. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
