Description of problem: FAST request processing in krb5 1.11.1 drops message type to 0 which leads to not recognizing PAC in TGT and not attaching PAC to the issued service tickets during TGS-REQ processing. As result, FreeIPA cross-realm trusts with Active Directory stopped working when AD user tries to log in via ssh from one of IPA-controlled machines, since SSSD cannot pull list of AD user's SIDs out of PAC in the ticket and map them to secondary groups. Additionally, Samba is unable to see PAC and resorts to local identity provider (SSSD) which leads to not recognizing user's groups and failing access control. There is a one-line fix provided by Greg Hudson here: https://github.com/greghudson/krb5/commit/3fbdcd0965180b46c545187e7784350340ae88ee Unfortunately, the fix didn't make to 1.11.2 so the patch has to be applied on top of currently existing updates.
krb5-1.11.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/krb5-1.11.2-1.fc19
Package krb5-1.11.2-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.11.2-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5776/krb5-1.11.2-1.fc19 then log in and leave karma (feedback).
Package krb5-1.11.2-2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.11.2-2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5776/krb5-1.11.2-2.fc19 then log in and leave karma (feedback).
krb5-1.11.2-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.