Bug 1852320 - krb5-libs regression
Summary: krb5-libs regression
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Robbie Harwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-30 06:39 UTC by Nikos Mavrogiannopoulos
Modified: 2020-09-10 17:39 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-10 17:39:17 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Nikos Mavrogiannopoulos 2020-06-30 06:39:08 UTC
Description of problem:
Connecting with a ssh to a specific host that has gssapi authentication works with:
krb5-libs-1.18-1.fc32.x86_64

When connecting using krb5-libs-1.18.2-9.fc32 I get:
ssh -v hostname
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Generic error (see e-text)


(there is no additional text)

Comment 2 Simo Sorce 2020-06-30 14:58:39 UTC
Potentially related to: https://bugzilla.redhat.com/show_bug.cgi?id=1852041 if it turns out to be some name canonicalization bug

Comment 4 Simo Sorce 2020-06-30 17:54:28 UTC
Sounds like a server misconfiguration issue, they have entries for both principals in the KDC, but the server fails to operate with one of them ?
What is dns_canonicalize_hostname set to in your krb5.conf ?
If it is set to fallback, try to change it to either true and see if it works that way.

Comment 5 Robbie Harwood 2020-07-01 20:09:37 UTC
Yeah, this is server misconfiguration issue - works with `dns_canonicalize_hostname = true` but not with `dns_canonicalize_hostname = false`.  Can you file a bug?  I'm not sure who runs the server in question or where to file bugs about it.  (Simo's analysis of the problem in #c4 is correct, is what I'm saying.)

Comment 11 Robbie Harwood 2020-09-10 17:39:17 UTC
Closing this out since tickets have been filed with the problematic services.


Note You need to log in before you can comment on or make changes to this bug.