[Bug 874439] Re: canonicalize fallback bug in krb5-user prevents ssh with older KDC

[Sam Hartman]

*** This bug is a duplicate of bug 874130 ***
    https://bugs.launchpad.net/bugs/874130

** This bug has been marked a duplicate of bug 874130
   Canonicalize fallback only works for different realm (MITKRB RT #6917)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/874439

Title:
  canonicalize fallback bug in krb5-user prevents ssh with older KDC

Status in “krb5” package in Ubuntu:
  New

Bug description:
  Hi,

  Upgrading from Natty to Oneiric upgrades krb5-user from version 1.8.3
  +dfsg-5ubuntu2.1 to 1.9.1+dfsg-1ubuntu1.  Immediately before the
  upgrade, I was able to SSH (to a network that uses an older KDC) using
  MIT Kerberos.  Immediately following the upgrade, the connection fails
  with the following in the verbose output of SSH:

  debug1: Unspecified GSS failure.  Minor code may provide more information
  KDC can't fulfill requested option

  Googling seems to indicate that this is a known bug in the 1.9.1
  series of the Kerberos library, and that it has been resolved for
  1.9.2.  Compare the bug reports in RHL
  (https://bugzilla.redhat.com/show_bug.cgi?id=713518) and Archlinux
  (https://bugs.archlinux.org/task/25515), which both include a patch.
  I couldn't find any evidence that Debian has moved to 1.9.2--or
  applied this patch--yet, but I don't fully understand the mechanics of
  how updates trickle down from them.

  This is a fairly urgent bug because it completely prevents Kerberized
  SSH connection to any nodes using an older KDC.

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/874439/+subscriptions