+++ This bug was initially created as a clone of Bug #2016312 +++
Rebase MIT Kerberos to 1.20 series once they are released upstream in late 2021.
Major change in 1.20 is a refactoring of KDB interface to handle MS-PAC records to allow more precise and hardened handling of tickets in environments integrated with Active Directory, as well as support of resource-based constrained delegation.
Changes in krb5 1.20 will affect RHEL IdM and Samba. Both components are currently being adopted to 1.20 changes upstream.
--- Additional comment from Alexander Bokovoy on 2022-01-19 08:30:30 UTC ---
Since krb5 1.20 is not yet tagged and in discussion with upstream it is going to be released somewhere during spring 2022, wewould move the rebase forward to next possible development version of RHEL 9.
--- Additional comment from Julien Rische on 2022-08-11 13:08:11 UTC ---
The krb5 1.20 rebase is available here:
Tests are failing for Fedora 35, but it seems related to a change in glibc affecting resolv_wrapper, which is used in tests for KDC DNS lookup:
--- Additional comment from Julien Rische on 2022-09-02 10:39:49 UTC ---
AD/MIT cross-realm seems to be broken since version 1.20 (tested on Fedora and C9S/RHEL against Windows Server 2019). An AD principal is able to request a ticket for the an MIT principal, but the opposite fails with a generic error (without e-text). This issue persists even when PAC is disabled on MIT KDC.
It seems to be related to the content of the MIT TGT, because after pre-authentication using krb5 1.20 and downgrading to 1.19.*, the cross-realm TGT TGS-REQ succeed, but the service ticket TGS-REQ will continue to fail until the ccache is destroyed and the TGT requested again.
No obvious different is visible in the network capture.
--- Additional comment from Julien Rische on 2022-09-05 17:27:44 UTC ---
C9S pull request:
FEDORA-2022-8050ab2c35 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8050ab2c35
FEDORA-2022-311128dd7e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-311128dd7e
FEDORA-2022-311128dd7e has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.