Bug 2124463

Summary: Rebase krb5 to latest upstream release 1.20 [fedora-rawhide]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, antorres, dpal, fdvorak, ftrivino, gkaihoro, jrische, j, npmccallum, sam, sbose, ssorce
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.20.1-3.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2016312 Environment:
Last Closed: 2023-01-13 14:43:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2016312    
Bug Blocks: 1956994, 2060421, 2068535, 2114771, 2209621    

Description Julien Rische 2022-09-06 08:43:12 UTC 
+++ This bug was initially created as a clone of Bug #2016312 +++

Rebase MIT Kerberos to 1.20 series once they are released upstream in late 2021.

Major change in 1.20 is a refactoring of KDB interface to handle MS-PAC records to allow more precise and hardened handling of tickets in environments integrated with Active Directory, as well as support of resource-based constrained delegation.

Changes in krb5 1.20 will affect RHEL IdM and Samba. Both components are currently being adopted to 1.20 changes upstream.

--- Additional comment from Alexander Bokovoy on 2022-01-19 08:30:30 UTC ---

Since krb5 1.20 is not yet tagged and in discussion with upstream it is going to be released somewhere during spring 2022, wewould move the rebase forward to next possible development version of RHEL 9.

--- Additional comment from Julien Rische on 2022-08-11 13:08:11 UTC ---

The krb5 1.20 rebase is available here:
https://src.fedoraproject.org/fork/jrische/rpms/krb5/tree/krb5-1.20

Tests are failing for Fedora 35, but it seems related to a change in glibc affecting resolv_wrapper, which is used in tests for KDC DNS lookup:
https://gitlab.com/cwrap/resolv_wrapper/-/commit/c75587f858eb49e6b13ab610e63289df0485ddac

--- Additional comment from Julien Rische on 2022-09-02 10:39:49 UTC ---

AD/MIT cross-realm seems to be broken since version 1.20 (tested on Fedora and C9S/RHEL against Windows Server 2019). An AD principal is able to request a ticket for the an MIT principal, but the opposite fails with a generic error (without e-text). This issue persists even when PAC is disabled on MIT KDC.

It seems to be related to the content of the MIT TGT, because after pre-authentication using krb5 1.20 and downgrading to 1.19.*, the cross-realm TGT TGS-REQ succeed, but the service ticket TGS-REQ will continue to fail until the ccache is destroyed and the TGT requested again.

No obvious different is visible in the network capture.

--- Additional comment from Julien Rische on 2022-09-05 17:27:44 UTC ---

C9S pull request:
https://gitlab.com/redhat/centos-stream/rpms/krb5/-/merge_requests/23
Comment 1 Fedora Update System 2022-12-01 15:02:17 UTC 
FEDORA-2022-8050ab2c35 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8050ab2c35
Comment 2 Fedora Update System 2022-12-01 17:37:57 UTC 
FEDORA-2022-311128dd7e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-311128dd7e
Comment 3 Fedora Update System 2022-12-07 13:29:04 UTC 
FEDORA-2022-311128dd7e has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.