|
Bugzilla – Full Text Bug Listing |
| Summary: | yast2-kerberos client saves unnecessary [domain_realm] section | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 10.3 | Reporter: | Jiří Suchomel <jsuchome> |
| Component: | YaST2 | Assignee: | Jiří Suchomel <jsuchome> |
| Status: | RESOLVED FIXED | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | jsuchome, mc |
| Version: | Alpha 7 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | prepend a dot to the domain name | ||
Michael, Jacob, could you clear the situation? We found the problem:
> the problem is that the NT Principal Name on the cert is
> jberkman@sandbox.cam.novell.com; the code tries to look up which realm
> matches sandbox.cam.novell.com.
> this is in cert_san_matches_upn_check(), when it calls
> krb5_get_host_realm().
krb5_get_host_realm() expect a full qualified host name, but the code provide only the domain .
For 10.3 we have a workaround, for next version we can fix this by prepend a "." or "x." to the domain before calling krb5_get_host_realm().
Jacob: cert_san_matches_upn_check() is your code. Please provide a patch which add "." or "x." in front of the domain before krb5_get_host_realm() was called. Thanks. NEEDINFO is the wrong thing here. A patch is needed, not an info Created attachment 193108 [details]
prepend a dot to the domain name
I believe this patch does what you were asking for; please review it for errors and add it to autobuild if it is acceptable.
I don't anticipate going back to smartcard work, so in the future, as you are the package's maintainer, please don't hesitate to go ahead and fix things like this yourself.
Thanks.
Patch applied. Jiri: yast2-kerberos-client can now go back to the old behaviour. (In reply to comment #6 from Michael Calmer) > Patch applied. > > Jiri: yast2-kerberos-client can now go back to the old behaviour. .. which is, "domain is added with the leading dot in domain_realm section" yast2-kerberos-client-2.16.3 |
Current yast2-kerberos-client saves into [domain_realm] section of /etc/krb5.conf both domain = REALM and .domain = REALM Probably only one of the entry should be sufficient but it is not clear which. See feature 302132 for a discussion. Jakob: "for the domain realm, the only difference with having the leading dot there is that when it is present, the domain *won't* match - eg host.sub.domain and sub.domain will both match a domain_realm value of sub.domain. however, if the domain_realm value is .sub.domain, sub.domain will not match, and this is the value we're getting from the smartcard. sandbox is a domain. having both entries is unnecessary, as i've mentioned. if you don't have the dot there, it will match hosts that both have the dot and don't - if you do have the dot, it will simply not match just the host (which is what we have from the smartcard). ie, for host host.sub.domain, it will first try to match a domain_realm of host.sub.domain, then .sub.domain, then sub.domain, then .domain, then domain." Michael (Kerberos FAQ): "2. You only need an entry without a leading period if you have a host named the same as your domain name (in other words, your domain is foo.bar.org, and you have a host called foo.bar.org)." According to Jakob, the value is domain; according to FAQ, if it is domain than .domain should work. So where's the problem?