krb5kdc and kadmind daemons are working with Berkeley DB backend with this update.
As explained in this Bugzilla comment, this update is removing the lock
permission for the krb5kdc_t processes. This is breaking MIT krb5 KDC:
type=AVC msg=audit(1710509353.206:154): avc: denied { lock } for pid=857 comm="krb5kdc" path="/var/kerberos/krb5kdc/principal.kadm5.lock" dev="vda2" ino=262657 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:krb5kdc_principal_t:s0 tclass=file permissive=0
There are three different failures in automated tests:
None of these failures should be considered a blocker.
I confirm there is no AVC error reported on a IPA client when authenticating using a passkey with IPA 4.11.0-4.beta1 on a distinct server and client setup.
I confirm this update allows IPA to generate AD-compatible PAC PrivSvr signatures, by relying on the "pac_privsvr_enctype" KDB string attribute introduced in krb5 1.21.
The problems related to the CI and TMT are now fixed. But tests are still failing due to the upgrade to Python 3.12, which removed a function used by krb5 tests. I opened an upstream pull request to fix this: https://github.com/krb5/krb5/pull/1307
I tested this change locally. It allows all tests to pass.
I will waive the test failure for this advisory, and update the krb5 dist-git repo once the upstream PR is accepted.
The issue was reported to the TMT project: https://github.com/teemtee/tmt/issues/2205
The issue mentioned in my last comment is fixed, but there is another issue related to TMT or Ansible:
Package manager "None" is not supported.
The functional tests for this advisory are blocked because of this issue: https://pagure.io/fedora-ci/general/issue/419
The rpmdeplint test failure is due to the fact the some paths are used for both the i686 and the x86_64 versions of krb5-tests.
Since this packages is used for testing only, it should not impact users. I will fix it in a future release.
The failure of the "rpminspect.static-analysis" test is due to the content of krb5-tests. This package include the full content of the build directory. It is used to run upstream tests in TMT. This package is only meant for testing purpose.
This update is passing FreeIPA PRCI tests:
The following operations are working:
The following operations are working:
This update fixes krb5 upstream test t_discover_uri.py
for KDC discovery using DNS URI records lookup.
Fix CVE-2024-2698 and CVE-2024-3183