Bug 1259844

Summary: KDC does not return proper client principal for client referrals
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dpal, nalin, nathaniel, rharwood
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.13.2-11.fc23 krb5-1.13.2-8.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1259846 (view as bug list) Environment:
Last Closed: 2015-10-11 16:01:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed backport patch none

Description Alexander Bokovoy 2015-09-03 15:32:02 UTC 
Created attachment 1069928 [details]
proposed backport patch

Description of problem:
When working on support for client referrals from trusted domains in FreeIPA I've found a bug in MIT Kerberos KDC that prevents it from returning correct trusted domain realm for client referral.

The reason for this bug is that prepare_error_as_req() uses KDC-specific table error code to check if wrong realm is reported rather than a protocol error code.

The fix upstream that removes need to consider error codes in prepare_error_as_req() is proposed at https://github.com/krb5/krb5/pull/323/

Attached is the minimal backport suggested by Simo that is essentially s/KRB5KDC_ERR_WRONG_REALM/KDC_ERR_WRONG_REALM/ in prepare_error_as_req() to reduce scope of backport.

According to Greg Hudson the bug exists since MIT Kerberos 1.7.
Comment 1 Alexander Bokovoy 2015-10-08 13:05:47 UTC 
Ping, can we get this fix pushed to Fedora (22 and 23)? This blocks a feature of FreeIPA 4.2.2 release.
Comment 2 Robbie Harwood 2015-10-08 20:08:32 UTC 
I was hoping to pull this in with 1.14, but if this is needed for other packages I will do otherwise.

It's in rawhide; versions of 22 and 23 to follow shortly.
Comment 3 Fedora Update System 2015-10-08 20:28:49 UTC 
krb5-1.13.2-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f99c19a9c9
Comment 4 Fedora Update System 2015-10-09 13:54:08 UTC 
krb5-1.13.2-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update krb5'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f99c19a9c9
Comment 5 Fedora Update System 2015-10-09 13:54:46 UTC 
krb5-1.13.2-11.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update krb5'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-424e5dcdaa
Comment 6 Fedora Update System 2015-10-11 16:01:40 UTC 
krb5-1.13.2-11.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-10-28 16:26:50 UTC 
krb5-1.13.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.