[Bug 298362] New: yast2-kerberos client saves unnecessary [domain_realm] section
https://bugzilla.novell.com/show_bug.cgi?id=298362 Summary: yast2-kerberos client saves unnecessary [domain_realm] section Product: openSUSE 10.3 Version: Alpha 7 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: jsuchome@novell.com QAContact: jsrain@novell.com CC: mc@novell.com, jberkman@novell.com Found By: --- Current yast2-kerberos-client saves into [domain_realm] section of /etc/krb5.conf both domain = REALM and domain = REALM Probably only one of the entry should be sufficient but it is not clear which. See feature 302132 for a discussion. Jakob: "for the domain realm, the only difference with having the leading dot there is that when it is present, the domain *won't* match - eg host.sub.domain and sub.domain will both match a domain_realm value of sub.domain. however, if the domain_realm value is .sub.domain, sub.domain will not match, and this is the value we're getting from the smartcard. sandbox is a domain. having both entries is unnecessary, as i've mentioned. if you don't have the dot there, it will match hosts that both have the dot and don't - if you do have the dot, it will simply not match just the host (which is what we have from the smartcard). ie, for host host.sub.domain, it will first try to match a domain_realm of host.sub.domain, then .sub.domain, then sub.domain, then .domain, then domain." Michael (Kerberos FAQ): "2. You only need an entry without a leading period if you have a host named the same as your domain name (in other words, your domain is foo.bar.org, and you have a host called foo.bar.org)." According to Jakob, the value is domain; according to FAQ, if it is domain than domain should work. So where's the problem? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=298362
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=298362#c1
--- Comment #1 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=298362
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=298362#c2
Michael Calmer
the problem is that the NT Principal Name on the cert is jberkman@sandbox.cam.novell.com; the code tries to look up which realm matches sandbox.cam.novell.com. this is in cert_san_matches_upn_check(), when it calls krb5_get_host_realm().
krb5_get_host_realm() expect a full qualified host name, but the code provide only the domain . For 10.3 we have a workaround, for next version we can fix this by prepend a "." or "x." to the domain before calling krb5_get_host_realm(). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=298362#c3
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=298362#c4
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=298362
User jberkman@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=298362#c5
--- Comment #5 from jacob berkman
https://bugzilla.novell.com/show_bug.cgi?id=298362
jacob berkman
https://bugzilla.novell.com/show_bug.cgi?id=298362
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=298362
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=298362#c6
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=298362
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=298362
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=298362#c7
Jiří Suchomel
Patch applied.
Jiri: yast2-kerberos-client can now go back to the old behaviour.
. which is, "domain is added with the leading dot in domain_realm section" yast2-kerberos-client-2.16.3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com