- apply upstream patch by way of Burt Holzman to fall back to a non-referral

method in cases where we might be derailed by a KDC that rejects the
  canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518)

krb5-1.9-canonicalize-fallback.patch

@@ -0,0 +1,59 @@
+From RT#6917.
+
+--- a/src/lib/krb5/krb/get_creds.c
++++ b/src/lib/krb5/krb/get_creds.c
+@@ -466,13 +466,10 @@ begin_non_referral(krb5_context context, krb5_tkt_creds_context ctx)
+ 
+ /***** STATE_REFERRALS *****/
+ 
+-/*
+- * Possibly retry a request in the fallback realm after a referral request
+- * failure in the local realm.  Expects ctx->reply_code to be set to the error
+- * from a referral request.
+- */
++/* Possibly try a non-referral request after a referral request failure.
++ * Expects ctx->reply_code to be set to the error from a referral request. */
+ static krb5_error_code
+-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
++try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
+ {
+     krb5_error_code code;
+     char **hrealms;
+@@ -481,9 +478,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
+     if (ctx->referral_count > 1)
+         return ctx->reply_code;
+ 
+-    /* Only fall back if the original request used the referral realm. */
++    /* If the request used a specified realm, make a non-referral request to
++     * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
+     if (!krb5_is_referral_realm(&ctx->req_server->realm))
+-        return ctx->reply_code;
++        return begin_non_referral(context, ctx);
+ 
+     if (ctx->server->length < 2) {
+         /* We need a type/host format principal to find a fallback realm. */
+@@ -496,10 +494,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
+     if (code != 0)
+         return code;
+ 
+-    /* Give up if the fallback realm isn't any different. */
++    /* If the fallback realm isn't any different, use the existing TGT. */
+     if (data_eq_string(ctx->server->realm, hrealms[0])) {
+         krb5_free_host_realm(context, hrealms);
+-        return ctx->reply_code;
++        return begin_non_referral(context, ctx);
+     }
+ 
+     /* Rewrite server->realm to be the fallback realm. */
+@@ -536,9 +534,9 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
+     krb5_error_code code;
+     const krb5_data *referral_realm;
+ 
+-    /* Possibly retry with the fallback realm on error. */
++    /* Possibly try a non-referral fallback request on error. */
+     if (ctx->reply_code != 0)
+-        return try_fallback_realm(context, ctx);
++        return try_fallback(context, ctx);
+ 
+     if (krb5_principal_compare(context, ctx->reply_creds->server,
+                                ctx->server)) {

krb5.spec

@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -54,6 +54,7 @@ Patch77: krb5-1.9-paren.patch
 Patch78: krb5-trunk-chpw-err.patch
 Patch79: krb5-klist_s.patch
 Patch80: krb5-trunk-kadmin-oldproto.patch
+Patch81: krb5-1.9-canonicalize-fallback.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -199,6 +200,7 @@ ln -s NOTICE LICENSE
 %patch78 -p0 -b .chpw-err
 %patch79 -p1 -b .klist_s
 %patch80 -p0 -b .kadmin-oldproto
+%patch81 -p1 -b .canonicalize-fallback
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -658,6 +660,11 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Jun 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-4
+- apply upstream patch by way of Burt Holzman to fall back to a non-referral
+  method in cases where we might be derailed by a KDC that rejects the
+  canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518)
+
 * Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-3
 - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating
   using the old protocol over IPv4 again (RT#6920)