Red Hat Bugzilla – Bug 715074
Canonicalize fallback only works for different realm (MITKRB RT #6917)
Last modified: 2011-07-06 17:36:14 EDT
+++ This bug was initially created as a clone of Bug #713518 +++
Created attachment 504902 [details]
Patch to re-enable same-realm fallback for canonicalize errors
Description of problem:
Clients linked against Kerberos 1.9 fail against older KDCs that don't support canonicalize. This affects FNAL, since we have operational needs to keep KDC online, but want to allow folks running RHEL6 (and compatible) to connect.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. kinit with an older (1.2?) KDC.
2. ssh using kerberos to another node.
debug1: Unspecified GSS failure. Minor code may provide more information
KDC can't fulfill requested option
Successful ssh connection
Here's the mail from Greg Hudson from the MIT Kerberos team:
Neither of these functions is used in the TGS request path. What
actually happened was a change in the fallback behavior when get_creds.c
was rewritten for 1.9. Previously, we would retry without the
canonicalize bit set any time we got an error from our first referral
request, but in 1.9 we only retry if we would be doing so in a different
The old fallback behavior will be restored in 1.9.2 (I just committed
the patch), but depending on your deployment scenario, it may be easier
to work around this problem by patching the KDC. It would be a very
simple patch to validate_tgs_request() in kdc_util.c.
I've attached Greg's patch. It applies cleanly (with fuzz) to 1.9-9, and I did some rudimentary testing at Fermilab which was successful.
Although this bug was originally filed against RHEL 6.1, the same bug affects Fedora 15, which also used krb5 1.9.
The same patch also fixes the krb5 in Fedora 15.
krb5-1.9.1-5.fc15 has been submitted as an update for Fedora 15.
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.9.1-5.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
I have tested this on both 32 bit and 64 bit Fedora 15.
I have successfully been able to log into Fermilab with both of them.
Thank you very much for the quick turnaround.
I will attempt to increase the karma of this, but I'm not sure if I have login rights on there, so if someone else wants to increase the Karma, that would be fine with me.
krb5-1.9.1-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.