Bug 715074 - Canonicalize fallback only works for different realm (MITKRB RT #6917)
Summary: Canonicalize fallback only works for different realm (MITKRB RT #6917)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 15
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-21 19:45 UTC by Troy Dawson
Modified: 2011-07-06 21:36 UTC (History)
7 users (show)

Fixed In Version: krb5-1.9.1-5.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of: 713518
Environment:
Last Closed: 2011-07-06 21:36:14 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Troy Dawson 2011-06-21 19:45:07 UTC
+++ This bug was initially created as a clone of Bug #713518 +++

Created attachment 504902 [details]
Patch to re-enable same-realm fallback for canonicalize errors

Description of problem:

Clients linked against Kerberos 1.9 fail against older KDCs that don't support canonicalize.  This affects FNAL, since we have operational needs to keep KDC online, but want to allow folks running RHEL6 (and compatible) to connect.

Version-Release number of selected component (if applicable):
krb-1.9

How reproducible:

Always.

Steps to Reproduce:

1. kinit with an older (1.2?) KDC.  
2. ssh using kerberos to another node.

  
Actual results:

debug1: Unspecified GSS failure.  Minor code may provide more information
KDC can't fulfill requested option


Expected results:

Successful ssh connection

Additional info:

Here's the mail from Greg Hudson from the MIT Kerberos team:

Neither of these functions is used in the TGS request path.  What
actually happened was a change in the fallback behavior when get_creds.c
was rewritten for 1.9.  Previously, we would retry without the
canonicalize bit set any time we got an error from our first referral
request, but in 1.9 we only retry if we would be doing so in a different
realm.

The old fallback behavior will be restored in 1.9.2 (I just committed
the patch), but depending on your deployment scenario, it may be easier
to work around this problem by patching the KDC.  It would be a very
simple patch to validate_tgs_request() in kdc_util.c. 

I've attached Greg's patch.  It applies cleanly (with fuzz) to 1.9-9, and I did some rudimentary testing at Fermilab which was successful.

Comment 1 Troy Dawson 2011-06-21 19:47:59 UTC
Although this bug was originally filed against RHEL 6.1, the same bug affects Fedora 15, which also used krb5 1.9.
The same patch also fixes the krb5 in Fedora 15.

Comment 2 Fedora Update System 2011-06-24 19:39:19 UTC
krb5-1.9.1-5.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/krb5-1.9.1-5.fc15

Comment 3 Fedora Update System 2011-06-25 20:01:27 UTC
Package krb5-1.9.1-5.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.9.1-5.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/krb5-1.9.1-5.fc15
then log in and leave karma (feedback).

Comment 4 Troy Dawson 2011-06-25 23:25:01 UTC
I have tested this on both 32 bit and 64 bit Fedora 15.
I have successfully been able to log into Fermilab with both of them.
Thank you very much for the quick turnaround.
I will attempt to increase the karma of this, but I'm not sure if I have login rights on there, so if someone else wants to increase the Karma, that would be fine with me.

Comment 5 Fedora Update System 2011-07-06 21:36:03 UTC
krb5-1.9.1-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.