Bug 238847 - kerberos release contains bug fixed upstream
Summary: kerberos release contains bug fixed upstream
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
: 335571 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-03 12:46 UTC by Yves-Alexis Perez
Modified: 2018-10-19 23:08 UTC (History)
6 users (show)

Fixed In Version: RHEA-2007-0893
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 16:36:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to correct behavior in indicate_mechs.c (496 bytes, patch)
2007-05-03 12:46 UTC, Yves-Alexis Perez
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2007:0893 normal SHIPPED_LIVE krb5 bug fix enhancement update 2007-10-30 15:11:36 UTC

Description Yves-Alexis Perez 2007-05-03 12:46:44 UTC
Description of problem:

Authentication fails when the client is windows based (IE6 or Firefox), but it
works when using Firefox from RHEL 5 or Debian Etch.

Workstations use pam_krb for login, then use Firefox/Iceweasel clients to access
apache/mod_auth_kerb on RHEL5 box. This works correctly, NegociateAuth works as
it should.

Using the same config server-side, the authentication fails when the client is
on Windows. The same windows client can authentication against an
apache/mod_auth_kerb box running Debian Etch (which uses krb5 1.4.4).

The error message is:

[Mon Apr 30 16:27:56 2007] [debug] src/mod_auth_kerb.c(1432): [client] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1432): [client] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1147): [client] Acquiring creds for HTTP@host.realm
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1266): [client] Verifying client data using KRB5 GSS-API
[Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1282): [client] Verification returned code 851968
[Mon Apr 30 16:27:57 2007] [error] [client]
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information (Cannot allocate memory)

Debugging httpd in gdb and tracing function calls leads to the file
indicate_mechs.c where gss_int_copy_oid_set() is called.

This function returns 0 on success, but in indicate_mechs.c the function is
called inside a if(), where, if the result is zero, it fails.

Looking at upstream mit release (1.5.3), the test isn't the same as the one in
RHEL5 release. If I correct the test in indicate_mechs.c, everything works as it

The diff between upstream release (1.5.3) and red hat release (1.5-7) is attached.

If I can add anything to help more, please ask.

-- Yves-Alexis Perez

Comment 1 Yves-Alexis Perez 2007-05-03 12:46:44 UTC
Created attachment 154025 [details]
patch to correct behavior in indicate_mechs.c

Comment 2 Nalin Dahyabhai 2007-05-04 14:50:05 UTC
This is also fixed in 1.6, to which we're currently planning to update, but I'm
going to leave this open so that we can track it properly.

Comment 3 RHEL Product and Program Management 2007-05-04 15:05:32 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 5 Nalin Dahyabhai 2007-06-25 06:13:04 UTC
Moving to MODIFIED.

Comment 6 Yves-Alexis Perez 2007-06-25 06:25:11 UTC
Does this means that fix will be included in RHEL5 soon? It breaks kerberos
pretty hard and the patch is trivial...

Comment 7 Nalin Dahyabhai 2007-06-25 14:15:27 UTC
By way of going to 1.6.1, yes.

Comment 9 Matthew Hannigan 2007-07-26 11:22:29 UTC
Apparently the equivalant fedora(6) bug is 

Comment 18 Nalin Dahyabhai 2007-10-17 14:19:40 UTC
*** Bug 335571 has been marked as a duplicate of this bug. ***

Comment 20 errata-xmlrpc 2007-11-07 16:36:48 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.