+++ This bug was initially created as a clone of Bug #713518 +++ Created attachment 504902 [details] Patch to re-enable same-realm fallback for canonicalize errors Description of problem: Clients linked against Kerberos 1.9 fail against older KDCs that don't support canonicalize. This affects FNAL, since we have operational needs to keep KDC online, but want to allow folks running RHEL6 (and compatible) to connect. Version-Release number of selected component (if applicable): krb-1.9 How reproducible: Always. Steps to Reproduce: 1. kinit with an older (1.2?) KDC. 2. ssh using kerberos to another node. Actual results: debug1: Unspecified GSS failure. Minor code may provide more information KDC can't fulfill requested option Expected results: Successful ssh connection Additional info: Here's the mail from Greg Hudson from the MIT Kerberos team: Neither of these functions is used in the TGS request path. What actually happened was a change in the fallback behavior when get_creds.c was rewritten for 1.9. Previously, we would retry without the canonicalize bit set any time we got an error from our first referral request, but in 1.9 we only retry if we would be doing so in a different realm. The old fallback behavior will be restored in 1.9.2 (I just committed the patch), but depending on your deployment scenario, it may be easier to work around this problem by patching the KDC. It would be a very simple patch to validate_tgs_request() in kdc_util.c. I've attached Greg's patch. It applies cleanly (with fuzz) to 1.9-9, and I did some rudimentary testing at Fermilab which was successful.
Although this bug was originally filed against RHEL 6.1, the same bug affects Fedora 15, which also used krb5 1.9. The same patch also fixes the krb5 in Fedora 15.
krb5-1.9.1-5.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/krb5-1.9.1-5.fc15
Package krb5-1.9.1-5.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.9.1-5.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/krb5-1.9.1-5.fc15 then log in and leave karma (feedback).
I have tested this on both 32 bit and 64 bit Fedora 15. I have successfully been able to log into Fermilab with both of them. Thank you very much for the quick turnaround. I will attempt to increase the karma of this, but I'm not sure if I have login rights on there, so if someone else wants to increase the Karma, that would be fine with me.
krb5-1.9.1-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.