[krbdev.mit.edu #1201] kdc returns replay when replayed request not apparent
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Fri Oct 4 00:06:34 EDT 2002
Hi. Could you please confirm that the attached trace was taken on the
KDC machine and includes all Kerberos packets either from the client
machine or involving the principal trng7 either from that client or
any other client during the period of the trace?
The reason that the client and authtime are zero on replay packets is
that the KDC does not parse the request enough to find out what the
client name is before determining it is a replay. At the point it
determines the request is a replay it should stop processing the
request and return the cached response.
However since you seem to be seeing an error packet, that may not be
happening.
I do see a replay error in the trace and I'm not really sure what the
KDC thinks it is a replay of.
It's also generating an error not returning a cached response.
Thanks for the trace; we should look at it in the next few days and
see if we can come up with any additional data.
For the benefit of others I'm attaching a decoding of the trace to the
ticket.
More information about the krb5-bugs
mailing list