Created attachment 1069928 [details] proposed backport patch Description of problem: When working on support for client referrals from trusted domains in FreeIPA I've found a bug in MIT Kerberos KDC that prevents it from returning correct trusted domain realm for client referral. The reason for this bug is that prepare_error_as_req() uses KDC-specific table error code to check if wrong realm is reported rather than a protocol error code. The fix upstream that removes need to consider error codes in prepare_error_as_req() is proposed at https://github.com/krb5/krb5/pull/323/ Attached is the minimal backport suggested by Simo that is essentially s/KRB5KDC_ERR_WRONG_REALM/KDC_ERR_WRONG_REALM/ in prepare_error_as_req() to reduce scope of backport. According to Greg Hudson the bug exists since MIT Kerberos 1.7.
Ping, can we get this fix pushed to Fedora (22 and 23)? This blocks a feature of FreeIPA 4.2.2 release.
I was hoping to pull this in with 1.14, but if this is needed for other packages I will do otherwise. It's in rawhide; versions of 22 and 23 to follow shortly.
krb5-1.13.2-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f99c19a9c9
krb5-1.13.2-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update krb5' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f99c19a9c9
krb5-1.13.2-11.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update krb5' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-424e5dcdaa
krb5-1.13.2-11.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.13.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.