I updated the test case with step (b.1) which I had forgotten. Here it goes:
Reproducing the error case with 1.15-1, we can see that UDP is tried first, is ignored, and then TCP is used one second later:
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1
Candidate: 1.15-1
Version table:
*** 1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
100 /var/lib/dpkg/status
$ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[2848] 1494852873.104617: Getting initial credentials for <email address hidden>
[2848] 1494852873.105449: Looked up etypes in keytab: aes256-cts, aes128-cts
[2848] 1494852873.105633: Sending request (172 bytes) to EXAMPLE.ORG
[2848] 1494852873.105684: Resolving hostname 10.0.100.249
[2848] 1494852873.105840: Sending initial UDP request to dgram 10.0.100.249:88
[2848] 1494852874.108235: Initiating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.108528: Sending TCP request to stream 10.0.100.249:88
[2848] 1494852874.110518: Received answer (254 bytes) from stream 10.0.100.249:88
[2848] 1494852874.110549: Terminating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.285214: Response was not from master KDC
[2848] 1494852874.285346: Received error from KDC: -1765328359/Additional pre-authentication required
...
After installing the update, UDP is again tried first but this time kinit receives an immediate answer and the exchange remains on UDP:
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1ubuntu0.1
Candidate: 1.15-1ubuntu0.1
Version table:
*** 1.15-1ubuntu0.1 500
500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages
100 /var/lib/dpkg/status
1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
$ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[10150] 1494853325.393939: Getting initial credentials for <email address hidden>
[10150] 1494853325.395247: Looked up etypes in keytab: aes256-cts, aes128-cts
[10150] 1494853325.395665: Sending request (172 bytes) to EXAMPLE.ORG
[10150] 1494853325.395851: Resolving hostname 10.0.100.249
[10150] 1494853325.396225: Sending initial UDP request to dgram 10.0.100.249:88
[10150] 1494853325.398161: Received answer (254 bytes) from dgram 10.0.100.249:88
[10150] 1494853325.648728: Response was not from master KDC
[10150] 1494853325.648835: Received error from KDC: -1765328359/Additional pre-authentication required
I updated the test case with step (b.1) which I had forgotten. Here it goes:
Reproducing the error case with 1.15-1, we can see that UDP is tried first, is ignored, and then TCP is used one second later: br.archive. ubuntu. com/ubuntu zesty/universe amd64 Packages dpkg/status
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1
Candidate: 1.15-1
Version table:
*** 1.15-1 500
500 http://
100 /var/lib/
$ KRB5_TRACE= /dev/stdout kinit -k -t /home/ubuntu/ ubuntu. keytab ubuntu Additional pre-authentication required
[2848] 1494852873.104617: Getting initial credentials for <email address hidden>
[2848] 1494852873.105449: Looked up etypes in keytab: aes256-cts, aes128-cts
[2848] 1494852873.105633: Sending request (172 bytes) to EXAMPLE.ORG
[2848] 1494852873.105684: Resolving hostname 10.0.100.249
[2848] 1494852873.105840: Sending initial UDP request to dgram 10.0.100.249:88
[2848] 1494852874.108235: Initiating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.108528: Sending TCP request to stream 10.0.100.249:88
[2848] 1494852874.110518: Received answer (254 bytes) from stream 10.0.100.249:88
[2848] 1494852874.110549: Terminating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.285214: Response was not from master KDC
[2848] 1494852874.285346: Received error from KDC: -1765328359/
...
After installing the update, UDP is again tried first but this time kinit receives an immediate answer and the exchange remains on UDP: br.archive. ubuntu. com/ubuntu zesty-proposed/ universe amd64 Packages dpkg/status br.archive. ubuntu. com/ubuntu zesty/universe amd64 Packages
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1ubuntu0.1
Candidate: 1.15-1ubuntu0.1
Version table:
*** 1.15-1ubuntu0.1 500
500 http://
100 /var/lib/
1.15-1 500
500 http://
$ KRB5_TRACE= /dev/stdout kinit -k -t /home/ubuntu/ ubuntu. keytab ubuntu Additional pre-authentication required
[10150] 1494853325.393939: Getting initial credentials for <email address hidden>
[10150] 1494853325.395247: Looked up etypes in keytab: aes256-cts, aes128-cts
[10150] 1494853325.395665: Sending request (172 bytes) to EXAMPLE.ORG
[10150] 1494853325.395851: Resolving hostname 10.0.100.249
[10150] 1494853325.396225: Sending initial UDP request to dgram 10.0.100.249:88
[10150] 1494853325.398161: Received answer (254 bytes) from dgram 10.0.100.249:88
[10150] 1494853325.648728: Response was not from master KDC
[10150] 1494853325.648835: Received error from KDC: -1765328359/