unwanted KRB5_GET_INIT_CREDS_OPT_CANONICALIZE flags -> INVALID TGS OPTIONS

Marc W. Mengel mengel at fnal.gov
Thu Jun 2 17:29:18 EDT 2011


So here's our problem.  With MIT kerberos 1.9 clients (under Fedora 15 
in particular) when users try to ssh or rsh or what have you to one of
our hosts, we get errors logged on the KDC like:

131.225.202.31(88): INVALID TGS OPTIONS: authtime 1306970595, 
j_random_user at FNAL.GOV  for host/blah.fnal.gov at FNAL.GOV, KDC can't 
fulfill requested option

which I suspect is due to KRB5_GET_INIT_CREDS_OPT_CANONICALIZE being set
in the request, which the KDC (being an older one) rejects out of hand,
as an invalid option.

The problem is, in the latest code, there seems to be no way to turn 
this off.  You can turn canonicalize off and on for the initial TGT
request in kinit, (and turning it on makes those requests fail
similarly)  but when you go to request a ticket for a specific
host, it looks like in s4u_identify_user()
(http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/s4u_creds.c#102)
the options are set to have canonicalize true, and then later in
krb5_init_creds_init()
(http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/get_in_tkt.c#868)
if its already set to true, any options in the krb5.conf in the realm
or what have you are ignored, because they are only checked if the 
options word has the flag turned off.

Or am I missing something?

Marc



More information about the Kerberos mailing list