Bug 238847 - kerberos release contains bug fixed upstream
Summary: kerberos release contains bug fixed upstream
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
: 335571 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-03 12:46 UTC by Yves-Alexis Perez
Modified: 2018-10-19 23:08 UTC (History)
6 users (show)

Fixed In Version: RHEA-2007-0893
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 16:36:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to correct behavior in indicate_mechs.c (496 bytes, patch)
2007-05-03 12:46 UTC, Yves-Alexis Perez
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2007:0893 normal SHIPPED_LIVE krb5 bug fix enhancement update 2007-10-30 15:11:36 UTC

Description Yves-Alexis Perez 2007-05-03 12:46:44 UTC
Description of problem:

Authentication fails when the client is windows based (IE6 or Firefox), but it
works when using Firefox from RHEL 5 or Debian Etch.

Workstations use pam_krb for login, then use Firefox/Iceweasel clients to access
apache/mod_auth_kerb on RHEL5 box. This works correctly, NegociateAuth works as
it should.

Using the same config server-side, the authentication fails when the client is
on Windows. The same windows client can authentication against an
apache/mod_auth_kerb box running Debian Etch (which uses krb5 1.4.4).

The error message is:

[Mon Apr 30 16:27:56 2007] [debug] src/mod_auth_kerb.c(1432): [client
192.168.0.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1432): [client
192.168.0.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1147): [client
192.168.0.10] Acquiring creds for HTTP@host.realm
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1266): [client
192.168.0.10] Verifying client data using KRB5 GSS-API
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1282): [client
192.168.0.10] Verification returned code 851968
[Mon Apr 30 16:27:57 2007] [error] [client 192.168.0.10]
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information (Cannot allocate memory)

Debugging httpd in gdb and tracing function calls leads to the file
indicate_mechs.c where gss_int_copy_oid_set() is called.

This function returns 0 on success, but in indicate_mechs.c the function is
called inside a if(), where, if the result is zero, it fails.

Looking at upstream mit release (1.5.3), the test isn't the same as the one in
RHEL5 release. If I correct the test in indicate_mechs.c, everything works as it
should.

The diff between upstream release (1.5.3) and red hat release (1.5-7) is attached.

If I can add anything to help more, please ask.

Regards,
-- Yves-Alexis Perez

Comment 1 Yves-Alexis Perez 2007-05-03 12:46:44 UTC
Created attachment 154025 [details]
patch to correct behavior in indicate_mechs.c

Comment 2 Nalin Dahyabhai 2007-05-04 14:50:05 UTC
This is also fixed in 1.6, to which we're currently planning to update, but I'm
going to leave this open so that we can track it properly.

Comment 3 RHEL Product and Program Management 2007-05-04 15:05:32 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 Nalin Dahyabhai 2007-06-25 06:13:04 UTC
Moving to MODIFIED.

Comment 6 Yves-Alexis Perez 2007-06-25 06:25:11 UTC
Does this means that fix will be included in RHEL5 soon? It breaks kerberos
pretty hard and the patch is trivial...

Comment 7 Nalin Dahyabhai 2007-06-25 14:15:27 UTC
By way of going to 1.6.1, yes.

Comment 9 Matthew Hannigan 2007-07-26 11:22:29 UTC
Apparently the equivalant fedora(6) bug is 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243686

Comment 18 Nalin Dahyabhai 2007-10-17 14:19:40 UTC
*** Bug 335571 has been marked as a duplicate of this bug. ***

Comment 20 errata-xmlrpc 2007-11-07 16:36:48 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0893.html



Note You need to log in before you can comment on or make changes to this bug.