unwanted KRB5_GET_INIT_CREDS_OPT_CANONICALIZE flags -> INVALID TGS OPTIONS
Greg Hudson
ghudson at MIT.EDU
Thu Jun 2 21:06:52 EDT 2011
On Thu, 2011-06-02 at 17:29 -0400, Marc W. Mengel wrote:
> but when you go to request a ticket for a specific
> host, it looks like in s4u_identify_user()
> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/s4u_creds.c#102)
> the options are set to have canonicalize true, and then later in
> krb5_init_creds_init()
> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/get_in_tkt.c#868)
> if its already set to true, any options in the krb5.conf in the realm
> or what have you are ignored, because they are only checked if the
> options word has the flag turned off.
Neither of these functions is used in the TGS request path. What
actually happened was a change in the fallback behavior when get_creds.c
was rewritten for 1.9. Previously, we would retry without the
canonicalize bit set any time we got an error from our first referral
request, but in 1.9 we only retry if we would be doing so in a different
realm.
The old fallback behavior will be restored in 1.9.2 (I just committed
the patch), but depending on your deployment scenario, it may be easier
to work around this problem by patching the KDC. It would be a very
simple patch to validate_tgs_request() in kdc_util.c.
More information about the Kerberos
mailing list