Symptoms a bit like bug 1117963 except in this case the response we get on trying IAKERB has a negResult of accept-incomplete, not request-mic. gss_init_sec_context() therefore returns GSS_S_DEFECTIVE_TOKEN because of this check in spnego_mech.c::init_ctx_reselect(): /* * Windows 2003 and earlier don't correctly send a * negState of request-mic when counter-proposing a * mechanism. They probably don't handle mechListMICs * properly either. */ if (acc_negState != REQUEST_MIC) return GSS_S_DEFECTIVE_TOKEN; Is there something we can do to work around this? It's causing compatibility problems for my users. Disabling IAKERB completely would probably suffice to fix it for them... it would be really useful to have a way to do that.
For my own reference and later testing, URL is http://eam.intel.com/eamweb/
Proposed patch (needs careful review from someone more clueful than I) at http://mailman.mit.edu/pipermail/krbdev/2014-July/012085.html
A version of this patch is now merged upstream: https://github.com/krb5/krb5/commit/7208dace8
Koji scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=7431821
Still not fixed in f21 (or f20).
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
I seem to be still carrying an updated package for this in my own repository...
And now we've shipped a real update which is newer than my "temporary" updated version, and yet still doesn't fix this :(
krb5-1.12.2-15.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/krb5-1.12.2-15.fc21
krb5-1.11.5-19.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/krb5-1.11.5-19.fc20
Package krb5-1.11.5-19.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.11.5-19.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-4077/krb5-1.11.5-19.fc20 then log in and leave karma (feedback).
(In reply to David Woodhouse from comment #8) > And now we've shipped a real update which is newer than my "temporary" > updated version, and yet still doesn't fix this :( Erm... I didn't had this one on my radar (if there is anything else which is still queued and needs to be done urgently then please PING/POKE me) ... ;-( ... you updated F20 and F21 ... is there no F22/F${rawhide} required ? Also... is there an (automated) **testcase** ? I'm currently very keen after improving our QA coverage...
Indeed, the fix went upstream before krb5-1.13 which is in F22, so there's no need to patch that. I'm afraid I don't have a test case. Although in this case I did at least make sure I remember which server was problematic — I have other fixes in upstream Samba and Krb5 where I can't even remember *that*, which is somewhat suboptimal! How would you like to be poked? I don't see you on IRC. Is a direct email better than you one you receive via bugzilla when I poke you as I did in comment #8?
krb5-1.11.5-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.12.2-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.