+++ This bug was initially created as a clone of Bug #2060421 +++ [root@master ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: win19-13r8.test Domain NetBIOS name: WIN19-13R8 Domain Security Identifier: S-1-5-21-3829174166-1252505095-3327585824 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# klist -e Ticket cache: KCM:0 Default principal: admin Valid starting Expires Service principal 03/03/2022 08:42:50 03/04/2022 08:19:50 HTTP/master.testrealm1way.test Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 03/03/2022 08:42:48 03/04/2022 08:19:50 krbtgt/TESTREALM1WAY.TEST Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 [root@master ~]# KRB5_TRACE=/dev/stderr kvno -S cifs ad1-13r8.win19-13r8.test [24932] 1646315147.757589: Getting credentials admin -> cifs/ad1-13r8.win19-13r8.test using ccache KCM:0 [24932] 1646315147.757590: Retrieving admin -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found [24932] 1646315147.757591: Retrieving admin -> cifs/ad1-13r8.win19-13r8.test from KCM:0 with result: -1765328243/Matching credential not found [24932] 1646315147.757592: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found [24932] 1646315147.757593: Retrieving admin -> krbtgt/TESTREALM1WAY.TEST from KCM:0 with result: 0/Success [24932] 1646315147.757594: Starting with TGT for client realm: admin -> krbtgt/TESTREALM1WAY.TEST [24932] 1646315147.757595: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found [24932] 1646315147.757596: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/TESTREALM1WAY.TEST [24932] 1646315147.757597: Generated subkey for TGS request: aes256-sha2/107C [24932] 1646315147.757598: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts [24932] 1646315147.757600: Encoding request body and padata into FAST request [24932] 1646315147.757601: Sending request (1948 bytes) to TESTREALM1WAY.TEST [24932] 1646315147.757602: Initiating TCP connection to stream 10.0.199.42:88 [24932] 1646315147.757603: Sending TCP request to stream 10.0.199.42:88 [24932] 1646315147.757604: Received answer (1804 bytes) from stream 10.0.199.42:88 [24932] 1646315147.757605: Terminating TCP connection to stream 10.0.199.42:88 [24932] 1646315147.757606: Response was from primary KDC [24932] 1646315147.757607: Decoding FAST response [24932] 1646315147.757608: FAST reply key: aes256-sha2/3569 [24932] 1646315147.757609: TGS reply is for admin -> krbtgt/WIN19-13R8.TEST with session key aes256-cts/349C [24932] 1646315147.757610: TGS request result: 0/Success [24932] 1646315147.757611: Received TGT for WIN19-13R8.TEST; advancing current realm [24932] 1646315147.757612: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found [24932] 1646315147.757613: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/WIN19-13R8.TEST [24932] 1646315147.757614: Generated subkey for TGS request: aes256-cts/6248 [24932] 1646315147.757615: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts [24932] 1646315147.757617: Encoding request body and padata into FAST request [24932] 1646315147.757618: Sending request (1812 bytes) to WIN19-13R8.TEST [24932] 1646315147.757619: Initiating TCP connection to stream 10.0.199.57:88 [24932] 1646315147.757620: Sending TCP request to stream 10.0.199.57:88 [24932] 1646315147.757621: Received answer (331 bytes) from stream 10.0.199.57:88 [24932] 1646315147.757622: Terminating TCP connection to stream 10.0.199.57:88 [24932] 1646315147.757623: Response was from primary KDC [24932] 1646315147.757624: Decoding FAST response [24932] 1646315147.757625: TGS request result: -1765328324/Generic error (see e-text) kvno: Generic error (see e-text) while getting credentials for cifs/ad1-13r8.win19-13r8.test From krb5kdc.log: Mar 03 08:45:47 master.testrealm1way.test krb5kdc[24353](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.199.42: ISSUE: authtime 1646314968, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin for krbtgt/WIN19-13R8.TEST I think we've seen this issue when developing krb5 1.20 upstream, so it needs to be re-verified with 1.20 when rebase happens.
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.