Bug 715074

Summary: Canonicalize fallback only works for different realm (MITKRB RT #6917)
Product: [Fedora] Fedora Reporter: Troy Dawson <dawson>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 15CC: burt, csieh, dpal, jplans, jwest, nalin, prc
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: krb5-1.9.1-5.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 713518 Environment:
Last Closed: 2011-07-06 17:36:14 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Troy Dawson 2011-06-21 15:45:07 EDT
+++ This bug was initially created as a clone of Bug #713518 +++

Created attachment 504902 [details]
Patch to re-enable same-realm fallback for canonicalize errors

Description of problem:

Clients linked against Kerberos 1.9 fail against older KDCs that don't support canonicalize.  This affects FNAL, since we have operational needs to keep KDC online, but want to allow folks running RHEL6 (and compatible) to connect.

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:

1. kinit with an older (1.2?) KDC.  
2. ssh using kerberos to another node.

Actual results:

debug1: Unspecified GSS failure.  Minor code may provide more information
KDC can't fulfill requested option

Expected results:

Successful ssh connection

Additional info:

Here's the mail from Greg Hudson from the MIT Kerberos team:

Neither of these functions is used in the TGS request path.  What
actually happened was a change in the fallback behavior when get_creds.c
was rewritten for 1.9.  Previously, we would retry without the
canonicalize bit set any time we got an error from our first referral
request, but in 1.9 we only retry if we would be doing so in a different

The old fallback behavior will be restored in 1.9.2 (I just committed
the patch), but depending on your deployment scenario, it may be easier
to work around this problem by patching the KDC.  It would be a very
simple patch to validate_tgs_request() in kdc_util.c. 

I've attached Greg's patch.  It applies cleanly (with fuzz) to 1.9-9, and I did some rudimentary testing at Fermilab which was successful.
Comment 1 Troy Dawson 2011-06-21 15:47:59 EDT
Although this bug was originally filed against RHEL 6.1, the same bug affects Fedora 15, which also used krb5 1.9.
The same patch also fixes the krb5 in Fedora 15.
Comment 2 Fedora Update System 2011-06-24 15:39:19 EDT
krb5-1.9.1-5.fc15 has been submitted as an update for Fedora 15.
Comment 3 Fedora Update System 2011-06-25 16:01:27 EDT
Package krb5-1.9.1-5.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.9.1-5.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 4 Troy Dawson 2011-06-25 19:25:01 EDT
I have tested this on both 32 bit and 64 bit Fedora 15.
I have successfully been able to log into Fermilab with both of them.
Thank you very much for the quick turnaround.
I will attempt to increase the karma of this, but I'm not sure if I have login rights on there, so if someone else wants to increase the Karma, that would be fine with me.
Comment 5 Fedora Update System 2011-07-06 17:36:03 EDT
krb5-1.9.1-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.