[krbdev.mit.edu #1201] kdc returns replay when replayed request not apparent
rmdyer@uncc.edu via RT
rt-comment at krbdev.mit.edu
Fri Oct 4 12:55:30 EDT 2002
Mr. Hartman,
Yes, the MIT kdc is a Solaris 8 machine. We used the Solaris snoop process
to capture the packets on the same box. The capture does include all
kerberos client packets involving the trng07 principle.
Windows XP Pro Client (mws215.uncc.edu)
Sun Solaris 8 Server running MIT KDC v1.2.6 (ws470.uncc.edu)
Rodney
At 12:06 AM 10/4/2002 -0400, you wrote:
>Hi. Could you please confirm that the attached trace was taken on the
>KDC machine and includes all Kerberos packets either from the client
>machine or involving the principal trng7 either from that client or
>any other client during the period of the trace?
>
>
>The reason that the client and authtime are zero on replay packets is
>that the KDC does not parse the request enough to find out what the
>client name is before determining it is a replay. At the point it
>determines the request is a replay it should stop processing the
>request and return the cached response.
>
>However since you seem to be seeing an error packet, that may not be
>happening.
>
>
>
>I do see a replay error in the trace and I'm not really sure what the
>KDC thinks it is a replay of.
>
>It's also generating an error not returning a cached response.
>
>Thanks for the trace; we should look at it in the next few days and
>see if we can come up with any additional data.
>
>For the benefit of others I'm attaching a decoding of the trace to the
>ticket.
More information about the krb5-bugs
mailing list