[krbdev.mit.edu #6673] S4U2Proxy and kvno error

[Arlene Berry via RT]

I'm seeing some "Cannot find ticket for requested realm"  errors when
using kvno with S4U2Proxy.  I tracked it down and the ultimate cause is
that when krb5_server_decrypt_ticket_keytab() decrypts the encrypted
part of the impersonated ticket it tries every keytab entry it finds
with the right key type and the first one that works it uses.  It
doesn't match the principal or the key version.  The problem occurs when
krb5_server_decrypt_ticket_keytab() replaces the server principal in the
ticket with the one in the keytab entry.  Since I'm using Active
Directory for the KDC and have the account set up as a computer account,
I have several variations on the principal name stored as separate
keytab entries and the right one may not be the first keytab entry that
can decrypt the ticket.  The result is that when kvno tries to use the
impersonated credentials to get credentials for a service and
krb5_get_credentials_for_proxy() looks for the proxy's TGT, it's looking
for a TGT with the wrong principal name and ultimately returns
KRB5_NO_TKT_IN_RLM.  I'm not sure what the right way to fix this is.  Is
there a reason why krb5_server_decrypt_ticket_keytab() doesn't match the
principal name?  Why does krb5_server_decrypt_ticket_keytab() replace
the ticket's server principal?