Bug 761317

Summary: Please backport s4u2proxy fixes from upstream trunk
Product: [Fedora] Fedora Reporter: Simo Sorce <ssorce>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dpal, jgalipea, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.9.2-6.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 761523 (view as bug list) Environment:
Last Closed: 2012-02-11 22:04:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 761523    

Description Simo Sorce 2011-12-08 02:53:58 UTC 
Please apply patches for upstream tickets number: 7046, 7047, 7048 to the krb5 packages.

These patches should apply cleanly to 1.9 and 1.10 without issues.

They are need for an upcoming version of IPA that uses s4u2proxy constrained delegation.

Please note that the upstream committed patch for 7048 is faulty, a fix should be committed shortly and will need to be incorporated as well.
Comment 1 Nalin Dahyabhai 2011-12-13 16:32:08 UTC 
The patches don't just apply to 1.9.  I'm going to need a decent way to test the results before I push them in.
Comment 2 Simo Sorce 2011-12-13 18:13:07 UTC 
The only stuff that exercise this code is FreeIPA tools in master (after Rob's patches will be applied).
Comment 3 Jenny Severance 2012-01-24 16:35:25 UTC 
Steps to reproduce:

1) install IPA 
2) kinit as admin
3) ipa user-show admin

No IPA CLI commands will work without this fix
Comment 4 Nalin Dahyabhai 2012-01-30 22:20:12 UTC 
(In reply to comment #3)
> Steps to reproduce:
> 
> 1) install IPA 
> 2) kinit as admin
> 3) ipa user-show admin
> 
> No IPA CLI commands will work without this fix

This command already works without the patch.  In which version does IPA grow a dependency on these changes, so that it doesn't work without them?  And what distinguishes an error caused by this not working from any other error?
Comment 7 Fedora Update System 2012-01-31 00:43:19 UTC 
krb5-1.9.2-6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/krb5-1.9.2-6.fc16
Comment 8 Fedora Update System 2012-01-31 00:43:28 UTC 
krb5-1.9.2-6.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/krb5-1.9.2-6.fc15
Comment 9 Fedora Update System 2012-01-31 21:58:52 UTC 
Package krb5-1.9.2-6.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.9.2-6.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1067/krb5-1.9.2-6.fc16
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-02-11 22:04:27 UTC 
krb5-1.9.2-6.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-02-17 00:58:21 UTC 
krb5-1.9.2-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.