1259844 – KDC does not return proper client principal for client referrals

Bug 1259844 - KDC does not return proper client principal for client referrals

Summary: KDC does not return proper client principal for client referrals

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Robbie Harwood
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-03 15:32 UTC by Alexander Bokovoy
Modified:	2015-10-28 16:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:	krb5-1.13.2-11.fc23 krb5-1.13.2-8.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1259846 (view as bug list)
Environment:
Last Closed:	2015-10-11 16:01:42 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
proposed backport patch (1.04 KB, patch) 2015-09-03 15:32 UTC, Alexander Bokovoy	no flags	Details \| Diff
View All

Description Alexander Bokovoy 2015-09-03 15:32:02 UTC

Created attachment 1069928 [details]
proposed backport patch

Description of problem:
When working on support for client referrals from trusted domains in FreeIPA I've found a bug in MIT Kerberos KDC that prevents it from returning correct trusted domain realm for client referral.

The reason for this bug is that prepare_error_as_req() uses KDC-specific table error code to check if wrong realm is reported rather than a protocol error code.

The fix upstream that removes need to consider error codes in prepare_error_as_req() is proposed at https://github.com/krb5/krb5/pull/323/

Attached is the minimal backport suggested by Simo that is essentially s/KRB5KDC_ERR_WRONG_REALM/KDC_ERR_WRONG_REALM/ in prepare_error_as_req() to reduce scope of backport.

According to Greg Hudson the bug exists since MIT Kerberos 1.7.

Comment 1 Alexander Bokovoy 2015-10-08 13:05:47 UTC

Ping, can we get this fix pushed to Fedora (22 and 23)? This blocks a feature of FreeIPA 4.2.2 release.

Comment 2 Robbie Harwood 2015-10-08 20:08:32 UTC

I was hoping to pull this in with 1.14, but if this is needed for other packages I will do otherwise.

It's in rawhide; versions of 22 and 23 to follow shortly.

Comment 3 Fedora Update System 2015-10-08 20:28:49 UTC

krb5-1.13.2-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f99c19a9c9

Comment 4 Fedora Update System 2015-10-09 13:54:08 UTC

krb5-1.13.2-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update krb5'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f99c19a9c9

Comment 5 Fedora Update System 2015-10-09 13:54:46 UTC

krb5-1.13.2-11.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update krb5'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-424e5dcdaa

Comment 6 Fedora Update System 2015-10-11 16:01:40 UTC

krb5-1.13.2-11.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-10-28 16:26:50 UTC

krb5-1.13.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.