Bug 1122324 - SPNEGO failure to fall back from IAKERB to GSSNTLMSSP
Summary: SPNEGO failure to fall back from IAKERB to GSSNTLMSSP
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 21
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Roland Mainz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-23 00:16 UTC by David Woodhouse
Modified: 2015-09-08 17:27 UTC (History)
6 users (show)

Fixed In Version: krb5-1.12.2-15.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-04-02 15:33:27 UTC
Type: Bug

Attachments (Terms of Use)

Description David Woodhouse 2014-07-23 00:16:26 UTC
Symptoms a bit like bug 1117963 except in this case the response we get on trying IAKERB has a negResult of accept-incomplete, not request-mic.

gss_init_sec_context() therefore returns GSS_S_DEFECTIVE_TOKEN because of this check in spnego_mech.c::init_ctx_reselect():

	 * Windows 2003 and earlier don't correctly send a
	 * negState of request-mic when counter-proposing a
	 * mechanism.  They probably don't handle mechListMICs
	 * properly either.
	if (acc_negState != REQUEST_MIC)

Is there something we can do to work around this? It's causing compatibility problems for my users.

Disabling IAKERB completely would probably suffice to fix it for them... it would be really useful to have a way to do that.

Comment 1 David Woodhouse 2014-07-25 09:46:40 UTC
For my own reference and later testing, URL is http://eam.intel.com/eamweb/

Comment 2 David Woodhouse 2014-07-25 10:55:19 UTC
Proposed patch (needs careful review from someone more clueful than I) at http://mailman.mit.edu/pipermail/krbdev/2014-July/012085.html

Comment 3 David Woodhouse 2014-08-20 16:22:19 UTC
A version of this patch is now merged upstream:

Comment 4 David Woodhouse 2014-08-20 16:42:18 UTC
Koji scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=7431821

Comment 5 David Woodhouse 2014-10-03 08:47:06 UTC
Still not fixed in f21 (or f20).

Comment 6 Fedora Admin XMLRPC Client 2014-10-06 16:38:15 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 7 David Woodhouse 2015-01-22 10:06:57 UTC
I seem to be still carrying an updated package for this in my own repository...

Comment 8 David Woodhouse 2015-03-17 12:55:27 UTC
And now we've shipped a real update which is newer than my "temporary" updated version, and yet still doesn't fix this :(

Comment 9 Fedora Update System 2015-03-17 17:14:56 UTC
krb5-1.12.2-15.fc21 has been submitted as an update for Fedora 21.

Comment 10 Fedora Update System 2015-03-17 17:14:57 UTC
krb5-1.11.5-19.fc20 has been submitted as an update for Fedora 20.

Comment 11 Fedora Update System 2015-03-18 10:31:45 UTC
Package krb5-1.11.5-19.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.11.5-19.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 12 Roland Mainz 2015-03-18 10:38:29 UTC
(In reply to David Woodhouse from comment #8)
> And now we've shipped a real update which is newer than my "temporary"
> updated version, and yet still doesn't fix this :(

Erm... I didn't had this one on my radar (if there is anything else which is still queued and needs to be done urgently then please PING/POKE me) ... ;-(

... you updated F20 and F21 ... is there no F22/F${rawhide} required ? Also... is there an (automated) **testcase** ? I'm currently very keen after improving our QA coverage...

Comment 13 David Woodhouse 2015-03-18 13:26:57 UTC
Indeed, the fix went upstream before krb5-1.13 which is in F22, so there's no need to patch that. I'm afraid I don't have a test case. Although in this case I did at least make sure I remember which server was problematic — I have other fixes in upstream Samba and Krb5 where I can't even remember *that*, which is somewhat suboptimal!

How would you like to be poked? I don't see you on IRC. Is a direct email better than you one you receive via bugzilla when I poke you as I did in comment #8?

Comment 14 Fedora Update System 2015-04-02 15:33:27 UTC
krb5-1.11.5-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-04-02 15:38:24 UTC
krb5-1.12.2-15.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.