unwanted KRB5_GET_INIT_CREDS_OPT_CANONICALIZE flags -> INVALID TGS OPTIONS
Marc W. Mengel
mengel at fnal.gov
Fri Jun 3 10:55:11 EDT 2011
Ahh, thank you for pointing me up the right tree :-)... and especially
for commiting the patch.
We may indeed have to try to breach the SEP field around our KDC setup...
On 06/02/2011 08:06 PM, Greg Hudson wrote:
> On Thu, 2011-06-02 at 17:29 -0400, Marc W. Mengel wrote:
>> but when you go to request a ticket for a specific
>> host, it looks like in s4u_identify_user()
>> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/s4u_creds.c#102)
>> the options are set to have canonicalize true, and then later in
>> krb5_init_creds_init()
>> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/get_in_tkt.c#868)
>> if its already set to true, any options in the krb5.conf in the realm
>> or what have you are ignored, because they are only checked if the
>> options word has the flag turned off.
>
> Neither of these functions is used in the TGS request path. What
> actually happened was a change in the fallback behavior when get_creds.c
> was rewritten for 1.9. Previously, we would retry without the
> canonicalize bit set any time we got an error from our first referral
> request, but in 1.9 we only retry if we would be doing so in a different
> realm.
>
> The old fallback behavior will be restored in 1.9.2 (I just committed
> the patch), but depending on your deployment scenario, it may be easier
> to work around this problem by patching the KDC. It would be a very
> simple patch to validate_tgs_request() in kdc_util.c.
>
>
More information about the Kerberos
mailing list