[krbdev.mit.edu #8014] Renewed and validated ccaches don't get config entries
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Sep 18 11:58:52 EDT 2014
kinit -R and kinit -v do not write config entries such as the FAST
negotiation result to the ccache they generate, because the APIs they use
(krb5_get_renewed_creds and krb5_get_validated_creds) do not support
output ccaches like the krb5_get_init_creds functions do.
However, we don't want to fix this bug in the near future. Some versions
of Java Kerberos break when they encounter config entries, because config
entries use the ticket field and don't put a valid ASN.1 Ticket there.
(And we can't really change that without breaking compatibility with
ourselves and with Heimdal.) Users of these Java versions have been
using kinit -R as a workaround, and we don't want to break that. Hence
the status of "stalled" on this ticket.
The consequences of this bug are relatively minor. If you use a renewed
ccache as an armor ticket, you don't know that the KDC is supposed to
support FAST.
More information about the krb5-bugs
mailing list