Hi,
we have a problem with our SLES 11 SP3 server after the last krb5 (Kerberos) update, patch slessp3-krb5-12185 (http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00007.html).
After applying the patch our apache with mod_auth_kerb doesn’t work correctly with “KrbMethodNegotiate on” (in apache config. Activates SingleSignOn with IE and other browsers).
The apache error log shows this:
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1667): [client 172.24.7.101] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1667): [client 172.24.7.101] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1277): [client 172.24.7.101] Acquiring creds for HTTP@server.domain
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1424): [client 172.24.7.101] Verifying client data using KRB5 GSS-API
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1440): [client 172.24.7.101] Client didn't delegate us their credential
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1459): [client 172.24.7.101] GSS-API token of length 185 bytes will be sent back
[Mon Nov 09 15:49:29 2015] [notice] child pid 16712 exit signal Segmentation fault (11)
After turning “KrbMethodNegotiate” off, so that the client will be asked for a password (when the setting “KrbMethodK5Passwd on” is set, but this was set even before the update), everything works just fine. In both situations the same keytab-file is used, no changes to the krb5.conf. Only the KrbMethodNegotiate change.
After downgrading the updated krb5 packages, everything works fine (again).
Does the mod_auth_kerb apache module need an update to work correctly with the fixed krb5 package?
Any further advice?
Any further data, config settings, etc. I can provide?
It’s a SLES 11 SP3 server (VM) with all packages updated
Thanks in advance.
Eichhorn