Public bug reported:
I'm trying to upgrade workstations to lucid an fails to access our
kerberos enabled websites. It reveals that the krb5 implementation in
lucid now tries to resolve the "reverse dns" and aquire a tikket for
<service>/<reverse dns> instead of <service>/<what the user typed in the
first place>.
The latter behavior is what the MS environment does and is what Ubuntu
has done (i think) until Lucid. A diff of the sourcecode from hardy
revealse that we now hint the getaddrinfo with AI_CANONNAME which it
didnt before.
Applying below patch enables the old behaviour.
--- krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c.orig 2010-04-29
09:04:11.401567914 +0200
+++ krb5-1.8.1+dfsg/src/lib/krb5/os/sn2princ.c 2010-04-29 09:04:21.762191834
+0200
@@ -112,7 +112,7 @@
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
+// hints.ai_flags = AI_CANONNAME;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
** Affects: krb5 (Ubuntu)
Importance: Undecided
Status: New
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
