Bug 1145991
Summary: | Unintelligible GSSAPI error when wrong host name is used by client | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> |
Component: | krb5 | Assignee: | Robbie Harwood <rharwood> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | devurandom, ghudson, kerberos-dev-list, nalin, nathaniel, pkis, ssorce, stefw |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-21 20:41:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1144561 |
Description
Stef Walter
2014-09-24 09:08:24 UTC
Simo, would you happen to know where a more appropriate minor error could be set? If I understand the problem correctly I am not sure this is a solvable problem. There is no way for the server to know why the client sent an invalid token, the token simply fails to decrypt. If you have control of the web server, you *may* be able to see what it the GET/POST hostname in the URL used (if it is not a relative url) and if it is not matching your name assume that a wrong hostname is the error, yes I am handwaving wildly :-) Can we get some information about the cases where this is happening? Greg Hudson pointed out on IRC that this may be relevant or related: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7232 The important question, though, is why you're seeing GSS_S_DEFECTIVE_TOKEN. That's not intended behavior for a ticket decryption failure. This is an Active Directory domain. I have a server with two host names in DNS: * falcon.borg.lan * falcon.thewalter.lan This is what my keytab looks like (and the computer account is named similarly): Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/falcon.thewalter.lan 3 host/falcon.thewalter.lan 3 host/falcon.thewalter.lan 3 host/falcon.thewalter.lan 3 host/falcon.thewalter.lan 3 host/falcon 3 host/falcon 3 host/falcon 3 host/falcon 3 host/falcon 3 FALCON$@BORG.LAN 3 FALCON$@BORG.LAN 3 FALCON$@BORG.LAN 3 FALCON$@BORG.LAN 3 FALCON$@BORG.LAN If use a web browser to connect to 'falcon.borg.lan' (the wrong host name) and perform Negotiate auth. I get the this GSS_S_DEFECTIVE_TOKEN (integer value 589824) from GSSAPI gss_accept_sec_context(). So the question is whether we can detect this situation and provide a more intelligible minor code back to the gss_accept_sec_context() caller? After some evaluation I think the issue here is that the client is trying to use the IAKERB mechanism, and there is some bug with it. Can you wireshark your connection and see what mechanism is being used ? This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. The referenced upstream ticket has been merged. Does your issue persist? Additionally, can you provide the information Simo requested? I believe this issue has been resolved. Please open if the issue persists. |