Bug#457341: marked as done (libapache2-mod-auth-kerb: KrbAuthoritative is broken)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 05 Apr 2024 17:27:47 +0000
with message-id <[🔎] E1rsnLv-00Fr8g-I4@fasolo.debian.org>
and subject line Bug#1068262: Removed package(s) from unstable
has caused the Debian Bug report #457341,
regarding libapache2-mod-auth-kerb: KrbAuthoritative is broken
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
457341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457341
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libapache2-mod-auth-kerb: KrbAuthoritative is broken
• From: Richard A Nelson <cowboy@debian.org>
• Date: Fri, 21 Dec 2007 09:27:16 -0800
• Message-id: <20071221172716.22369.4748.reportbug@bandit-hall.svl.ibm.com>

Package: libapache2-mod-auth-kerb
Version: 5.3-1.3
Severity: important

Here is a fragment of what I was attempting to accomplish:
        AuthType Basic
        AuthName "w3"
        AuthBasicProvider ldap file
        AuthUserFile /etc/apache2/htpasswd
        AuthzLDAPAuthoritative off
        AuthLDAPURL ldapi:///ou=bluepages,o=ibm.com?mail?sub?
        AuthType Kerberos
        KrbAuthRealms COBPLI.SVL.IBM.COM SVLDEV.SVL.IBM.COM
        KrbAuthoritative off
        KrbDelegateBasic on
        Krb5Keytab /etc/apache2/apache.keytab
        require valid-user

So, the goal was to first do KRB, and if that failed, drop back to
LDAP, and if that failed, check the htpasswd file.

All that worked fine until I added Kerberos (LDAP falling back to file).

No, if KRB auth works, everything is fine, but KRB failures are *not*
being delegated to lower levels:
[error] [client 9.30.102.134] Specified realm `us.ibm.com' not allowed by configuration

There are a plethora of <cc>.ibm.com addresses, and I'm not going to be
able to keep the AuthRealms uptodate with them all, nor should I - as
they don't have KRB realms behind them.  COBPLI and SVLDEV are the only two
domains with KRB backing them (both are local and have cross-domain
trust setup.

I noticed the earlier bug (288745) on multiple Realms, tagged moreinfo, so I 
removed one from the list and tried again - but I get the same error :(

I can easily reproduce (and test) this error - and am could easily
verify any updates

-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.23.11 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-auth-kerb depends on:
ii  apache2.2-common      2.2.6-3            Next generation, scalable, extenda
ii  krb5-config           1.17               Configuration files for Kerberos V
ii  libc6                 2.7-4              GNU C Library: Shared libraries
ii  libcomerr2            1.40.3-1           common error description library
ii  libkrb53              1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries

libapache2-mod-auth-kerb recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 457341-done@bugs.debian.org,494688-done@bugs.debian.org,550606-done@bugs.debian.org,552266-done@bugs.debian.org,722477-done@bugs.debian.org,725454-done@bugs.debian.org,766587-done@bugs.debian.org,780108-done@bugs.debian.org,799109-done@bugs.debian.org,976156-done@bugs.debian.org,1013955-done@bugs.debian.org,1036193-done@bugs.debian.org,
• Cc: libapache-mod-auth-kerb@packages.debian.org
• Subject: Bug#1068262: Removed package(s) from unstable
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 05 Apr 2024 17:27:47 +0000
• Message-id: <[🔎] E1rsnLv-00Fr8g-I4@fasolo.debian.org>

Version: 5.4-3+rm

Dear submitter,

as the package libapache-mod-auth-kerb has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1068262

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)

--- End Message ---