Bug 1317609 - krb5 1.14.1 ate my gss-ntlmssp.
Summary: krb5 1.14.1 ate my gss-ntlmssp.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Robbie Harwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-14 16:27 UTC by David Woodhouse
Modified: 2016-03-26 17:58 UTC (History)
6 users (show)

Fixed In Version: krb5-1.14.1-3.fc23 krb5-1.14.1-3.fc24
Clone Of:
Environment:
Last Closed: 2016-03-22 19:52:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Add inquire_attrs_for_mech for gssntlmssp (2.66 KB, patch)
2016-03-14 20:14 UTC, David Woodhouse
dwmw2: review-
Details | Diff

Description David Woodhouse 2016-03-14 16:27:39 UTC
$ rpm -q krb5-libs
krb5-libs-1.14-5.fc23.x86_64
krb5-libs-1.14-5.fc23.i686
$ KRB5CCNAME=/dev/null curl --negotiate -u : -v $URL
...
> Authorization: Negotiate YEAGBisGAQUFAqA2MDSgDjAMBgorBgEEAYI3AgIKoiIEIE5UTE1TU1AAAQAAABeCCKAAAAAAAAAAAAAAAAAAAAAA
... success ...


$ sudo dnf -y update krb5\*
]$ rpm -q krb5-libs
krb5-libs-1.14.1-1.fc23.x86_64
krb5-libs-1.14.1-1.fc23.i686
$ KRB5CCNAME=/dev/null curl --negotiate -u : -v $URL
...
* gss_init_sec_context() failed: : SPNEGO cannot find mechanisms to negotiate

Comment 1 Robbie Harwood 2016-03-14 20:00:39 UTC
Out-of-band discussions suggests that this is exposing a problem in gss-ntmlssp due to codepath changes in krb5.

Comment 2 David Woodhouse 2016-03-14 20:13:23 UTC
My preferred fix is at http://mailman.mit.edu/pipermail/krbdev/2016-March/012554.html

Comment 3 David Woodhouse 2016-03-14 20:14:24 UTC
Created attachment 1136280 [details]
Add inquire_attrs_for_mech for gssntlmssp

But sure, you can have this one too...

Comment 4 David Woodhouse 2016-03-16 22:10:31 UTC
Comment on attachment 1136280 [details]
Add inquire_attrs_for_mech for gssntlmssp

> But sure, you can have this one too...

No you can't; it's wrong. The mechglue will see our explicitly returned GSS_C_NO_OID_SET for the known attrs, and override it to pretend we support the full set of attrs listed in RFC5587. This is apparently a good thing.

cf. https://github.com/krb5/krb5/pull/426

Comment 5 Fedora Update System 2016-03-17 18:01:57 UTC
krb5-1.14.1-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d4d2546f05

Comment 6 Fedora Update System 2016-03-17 18:02:08 UTC
krb5-1.14.1-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b84e6d7706

Comment 7 Fedora Update System 2016-03-18 14:56:33 UTC
krb5-1.14.1-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b84e6d7706

Comment 8 Fedora Update System 2016-03-18 21:55:21 UTC
krb5-1.14.1-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8dbc4ade25

Comment 9 Fedora Update System 2016-03-19 01:24:42 UTC
krb5-1.14.1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d4d2546f05

Comment 10 Fedora Update System 2016-03-20 03:58:16 UTC
krb5-1.14.1-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8dbc4ade25

Comment 11 Fedora Update System 2016-03-22 19:52:26 UTC
krb5-1.14.1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-03-26 17:58:29 UTC
krb5-1.14.1-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.