Ubuntu
krb5 package

kerberos auth doesn't work because of kerberos server not found

Bug #971028 reported by Thomas Schweikle
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Expired
Low
Unassigned

Bug Description

Kerberos doesn't find kerberos server. Authentication fails via kerberos. It succeeds via ssh. Consequence: no forwardable ticket ...

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: krb5-user 1.10+dfsg~beta1-2
ProcVersionSignature: Ubuntu 3.2.0-21.34-virtual 3.2.13
Uname: Linux 3.2.0-21-virtual i686
ApportVersion: 2.0-0ubuntu2
Architecture: i386
Date: Sun Apr 1 21:12:05 2012
InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
 TERM=screen-bce
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: krb5
UpgradeStatus: Upgraded to precise on 2012-04-01 (0 days ago)

Revision history for this message
Thomas Schweikle (tps) wrote :
James Page (james-page)
Changed in krb5 (Ubuntu):
importance: Undecided → Low
Revision history for this message
James Page (james-page) wrote :

Hi Thomas

Looking at the title of this bug 'kerberos auth doesn't work because of kerberos server not found' - I'm struggling to see what the bug actually is as this sounds like reasonable behavior.

Is this related to bug 971046 that you raised?

It would be good to understand how these issues relate to each other and get a better view of your overall configuration so we can try to triage this bug (and the others) more effectively.

Changed in krb5 (Ubuntu):
status: New → Incomplete
Revision history for this message
Thomas Schweikle (tps) wrote :

I was looking in the wrong direction, because of kerberos errors, after upgrading from oneiric to precise.

This bug is not related to kerberos, but to OpenLDAP. OpenLDAP has two configuration files for authenticating against a ldap-server:
/etc/ldap/ldap.conf -- used by nsswitch
/etc/ldap.conf -- used by other tools including kerberos, if kerberos data is stored in ldap.

Both of these files are overwritten by "do-release-upgrade -d", breaking the connection to your ldap-server. In tune kerberos can't read it's database (stored in ldap) any more, while the connection is not broken, because /etc/krb5.conf holds the necessary information. But Informations for authenticating kerberos against ldap are stored in /etc/ldap/ldap.conf and these are lost. The error messages kerberos exausts lead in a false direction. Resoring the files /etc/ldap/ldap.conf and /etc/ldap.conf solves the problem.

Revision history for this message
James Page (james-page) wrote :

Hi Thomas

Thanks again for the extra information.

/etc/ldap/ldap.conf is classified as a configuration file so package changes to this file should not overwrite you local changes without prompting.

However looking at this file it had not been changed between oneiric and precise so I'm not quite sure why you are hitting this issue (I have not been able to reproduce this locally following the same upgrade path).

Please could you check the package ownership of this files by running the following commands:

  dpkg -S /etc/ldap/ldap.conf
  dpkg -S /etc/ldap.conf

Please post the output in the bug report.

Thanks

Changed in krb5 (Ubuntu):
status: Incomplete → New
status: New → Incomplete
Revision history for this message
Thomas Schweikle (tps) wrote :

# dpkg -S /etc/ldap/ldap.conf
libldap-2.4-2: /etc/ldap/ldap.conf
# dpkg -S /etc/ldap.conf
dpkg-query: no path found matching pattern /etc/ldap.conf.

For /etc/ldap/ldap.conf package libldap-2.4-2 has installed it. While /etc/ldap.conf does not have a candidate, but it is installed by libpam-ldapd. /etc/ldap/ldap.conf is used by various ldap tools to set defaults, while /etc/ldap.conf instructs pam how to read the ldap-database for user information.

Revision history for this message
Thomas Schweikle (tps) wrote :

It doesn't matter if debconf used or not. /etc/ldap.conf is overwritten in all cases with a new, sometimes partly correct (as changed by me) version (server names are correct, but not selection rules), sometimes at whole. Recovering is easy: just take a /etc/ldap.conf from on of your working servers and copy it over.

Revision history for this message
James Page (james-page) wrote :

Thomas

I'm not sure that /etc/ldap.conf is installed by libpam-ldapd - it will certainly try to parse /etc/ldap.conf if it exists on upgrade but by default its configuration is installed in /etc/nslcd.conf. This change happened in 2009 so I think its un-related to what you are seeing.

With regards to /etc/ldap/ldap.conf - yes libldap-2.4-2 does install that package but as its registered as a config file it should not have tried to overwrite your localized changed.

Do you happen to have upgrade logs for one of the installations where you see this issue? They should be in /var/log/dist-upgrade. This might help shed more light on this problem

Thanks

Changed in krb5 (Ubuntu):
status: Incomplete → New
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for krb5 (Ubuntu) because there has been no activity for 60 days.]

Changed in krb5 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.