Bug 2124463 - Rebase krb5 to latest upstream release 1.20 [fedora-rawhide]
Summary: Rebase krb5 to latest upstream release 1.20 [fedora-rawhide]
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
Depends On: 2016312
Blocks: 1956994 2060421 2068535 2114771
TreeView+ depends on / blocked
Reported: 2022-09-06 08:43 UTC by Julien Rische
Modified: 2023-01-13 14:43 UTC (History)
12 users (show)

Fixed In Version: krb5-1.20.1-3.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2016312
Last Closed: 2023-01-13 14:43:42 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Fedora Package Sources krb5 pull-request 27 0 None None None 2022-11-23 18:53:01 UTC
Red Hat Issue Tracker FREEIPA-8710 0 None None None 2022-09-06 08:53:49 UTC

Description Julien Rische 2022-09-06 08:43:12 UTC
+++ This bug was initially created as a clone of Bug #2016312 +++

Rebase MIT Kerberos to 1.20 series once they are released upstream in late 2021.

Major change in 1.20 is a refactoring of KDB interface to handle MS-PAC records to allow more precise and hardened handling of tickets in environments integrated with Active Directory, as well as support of resource-based constrained delegation.

Changes in krb5 1.20 will affect RHEL IdM and Samba. Both components are currently being adopted to 1.20 changes upstream.

--- Additional comment from Alexander Bokovoy on 2022-01-19 08:30:30 UTC ---

Since krb5 1.20 is not yet tagged and in discussion with upstream it is going to be released somewhere during spring 2022, wewould move the rebase forward to next possible development version of RHEL 9.

--- Additional comment from Julien Rische on 2022-08-11 13:08:11 UTC ---

The krb5 1.20 rebase is available here:

Tests are failing for Fedora 35, but it seems related to a change in glibc affecting resolv_wrapper, which is used in tests for KDC DNS lookup:

--- Additional comment from Julien Rische on 2022-09-02 10:39:49 UTC ---

AD/MIT cross-realm seems to be broken since version 1.20 (tested on Fedora and C9S/RHEL against Windows Server 2019). An AD principal is able to request a ticket for the an MIT principal, but the opposite fails with a generic error (without e-text). This issue persists even when PAC is disabled on MIT KDC.

It seems to be related to the content of the MIT TGT, because after pre-authentication using krb5 1.20 and downgrading to 1.19.*, the cross-realm TGT TGS-REQ succeed, but the service ticket TGS-REQ will continue to fail until the ccache is destroyed and the TGT requested again.

No obvious different is visible in the network capture.

--- Additional comment from Julien Rische on 2022-09-05 17:27:44 UTC ---

C9S pull request:

Comment 1 Fedora Update System 2022-12-01 15:02:17 UTC
FEDORA-2022-8050ab2c35 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8050ab2c35

Comment 2 Fedora Update System 2022-12-01 17:37:57 UTC
FEDORA-2022-311128dd7e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-311128dd7e

Comment 3 Fedora Update System 2022-12-07 13:29:04 UTC
FEDORA-2022-311128dd7e has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.