Red Hat Bugzilla – Bug 1259846
KDC does not return proper client principal for client referrals
Last modified: 2015-11-19 00:14:36 EST
+++ This bug was initially created as a clone of Bug #1259844 +++
Description of problem:
When working on support for client referrals from trusted domains in FreeIPA I've found a bug in MIT Kerberos KDC that prevents it from returning correct trusted domain realm for client referral.
The reason for this bug is that prepare_error_as_req() uses KDC-specific table error code to check if wrong realm is reported rather than a protocol error code.
The fix upstream that removes need to consider error codes in prepare_error_as_req() is proposed at https://github.com/krb5/krb5/pull/323/
Attached is the minimal backport suggested by Simo that is essentially s/KRB5KDC_ERR_WRONG_REALM/KDC_ERR_WRONG_REALM/ in prepare_error_as_req() to reduce scope of backport.
According to Greg Hudson the bug exists since MIT Kerberos 1.7.
Created attachment 1069931 [details]
proposed backport patch
Can you add reproducer please that can be used to verify the bug fix? Thanks.
Greg has a patch with test cases: https://github.com/greghudson/krb5/commit/573f37ebda20e185929d9a6bf4b884fa322c9512
(In reply to Alexander Bokovoy from comment #4)
> Greg has a patch with test cases:
I should have checked that first.
please make sure that the fix includes the test too. Thanks.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.