The same server side issue can be found when a 1.11 client talks to a 1.10 KDC. +++ This bug was initially created as a clone of Bug #951843 +++ Description of problem: FAST request processing in krb5 1.11.1 drops message type to 0 which leads to not recognizing PAC in TGT and not attaching PAC to the issued service tickets during TGS-REQ processing. As result, FreeIPA cross-realm trusts with Active Directory stopped working when AD user tries to log in via ssh from one of IPA-controlled machines, since SSSD cannot pull list of AD user's SIDs out of PAC in the ticket and map them to secondary groups. Additionally, Samba is unable to see PAC and resorts to local identity provider (SSSD) which leads to not recognizing user's groups and failing access control. There is a one-line fix provided by Greg Hudson here: https://github.com/greghudson/krb5/commit/3fbdcd0965180b46c545187e7784350340ae88ee Unfortunately, the fix didn't make to 1.11.2 so the patch has to be applied on top of currently existing updates.
krb5-1.10.3-16.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/krb5-1.10.3-16.fc18
krb5-1.10.2-11.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/krb5-1.10.2-11.fc17
Package krb5-1.10.3-16.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.10.3-16.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6016/krb5-1.10.3-16.fc18 then log in and leave karma (feedback).
krb5-1.10.2-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.10.3-16.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.