MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2

Greg Hudson ghudson at MIT.EDU
Wed Nov 9 09:50:10 EST 2011


On 11/09/2011 08:40 AM, Mark R Bannister wrote:
> This implies to me that Windows 2003 R2 has a bug.  It ought to be ignoring bit
> 15 in a TGS-REQ, but this would not appear to be the case.

The canonicalize bit is still meaningful for TGS requests; see section 8
on server referrals.  The text you quoted is about alias
canonicalization, not referrals to another realm.

> However, what's the rationale for the change in behaviour to MIT Kerberos v5? 
> Why is MIT Kerberos now setting KDC option bit 15 on a TGS-REQ for a changepw? 
> Evidence shows that previous versions did not set this bit.

Starting with version 1.6, we set the canonicalize bit on TGS requests
in order to support server referrals to other realms.  In many error
cases, we fall back to a request without the canonicalize bit; there is
a bug in 1.9 and 1.9.1 (fixed in 1.9.2, which was issued very recently)
which reduces the number of cases where we make that fallback.  I'm
guessing that bug is the source of your problems:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6917&user=guest&pass=guest

although the situation in your case seems to be more complicated.



More information about the Kerberos mailing list