Bug 238847 - kerberos release contains bug fixed upstream
kerberos release contains bug fixed upstream
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
: 335571 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-03 08:46 EDT by Yves-Alexis Perez
Modified: 2010-10-22 10:42 EDT (History)
6 users (show)

See Also:
Fixed In Version: RHEA-2007-0893
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:36:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to correct behavior in indicate_mechs.c (496 bytes, patch)
2007-05-03 08:46 EDT, Yves-Alexis Perez
no flags Details | Diff

  None (edit)
Description Yves-Alexis Perez 2007-05-03 08:46:44 EDT
Description of problem:

Authentication fails when the client is windows based (IE6 or Firefox), but it
works when using Firefox from RHEL 5 or Debian Etch.

Workstations use pam_krb for login, then use Firefox/Iceweasel clients to access
apache/mod_auth_kerb on RHEL5 box. This works correctly, NegociateAuth works as
it should.

Using the same config server-side, the authentication fails when the client is
on Windows. The same windows client can authentication against an
apache/mod_auth_kerb box running Debian Etch (which uses krb5 1.4.4).

The error message is:

[Mon Apr 30 16:27:56 2007] [debug] src/mod_auth_kerb.c(1432): [client
192.168.0.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1432): [client
192.168.0.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1147): [client
192.168.0.10] Acquiring creds for HTTP@host.realm
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1266): [client
192.168.0.10] Verifying client data using KRB5 GSS-API
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1282): [client
192.168.0.10] Verification returned code 851968
[Mon Apr 30 16:27:57 2007] [error] [client 192.168.0.10]
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information (Cannot allocate memory)

Debugging httpd in gdb and tracing function calls leads to the file
indicate_mechs.c where gss_int_copy_oid_set() is called.

This function returns 0 on success, but in indicate_mechs.c the function is
called inside a if(), where, if the result is zero, it fails.

Looking at upstream mit release (1.5.3), the test isn't the same as the one in
RHEL5 release. If I correct the test in indicate_mechs.c, everything works as it
should.

The diff between upstream release (1.5.3) and red hat release (1.5-7) is attached.

If I can add anything to help more, please ask.

Regards,
-- Yves-Alexis Perez
Comment 1 Yves-Alexis Perez 2007-05-03 08:46:44 EDT
Created attachment 154025 [details]
patch to correct behavior in indicate_mechs.c
Comment 2 Nalin Dahyabhai 2007-05-04 10:50:05 EDT
This is also fixed in 1.6, to which we're currently planning to update, but I'm
going to leave this open so that we can track it properly.
Comment 3 RHEL Product and Program Management 2007-05-04 11:05:32 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Nalin Dahyabhai 2007-06-25 02:13:04 EDT
Moving to MODIFIED.
Comment 6 Yves-Alexis Perez 2007-06-25 02:25:11 EDT
Does this means that fix will be included in RHEL5 soon? It breaks kerberos
pretty hard and the patch is trivial...
Comment 7 Nalin Dahyabhai 2007-06-25 10:15:27 EDT
By way of going to 1.6.1, yes.
Comment 9 Matthew Hannigan 2007-07-26 07:22:29 EDT
Apparently the equivalant fedora(6) bug is 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243686
Comment 18 Nalin Dahyabhai 2007-10-17 10:19:40 EDT
*** Bug 335571 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2007-11-07 11:36:48 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0893.html

Note You need to log in before you can comment on or make changes to this bug.