MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2

[Greg Hudson]

On 11/14/2011 11:49 AM, Greg Hudson wrote:
> I would expect 1.6.1 to send the TGS request with the canonicalize bit
> set.  Can you look at the packet trace for 1.6.1 (or post results if
> you've already looked at it)?  Perhaps there's a difference there which
> will explain the different outcome.

Nevermind, I think I know why 1.6.1 succeeds and 1.9 fails.  1.6 through
1.8 have a workaround for this specific AD behavior (fall back to a
non-referral request if you get back a TGT to the same realm), and 1.9
only has a workaround for a related but different behavior (fall back if
you get a non-TGT service name other than the requested service)
described in the same ticket (#4955).

I am guessing that this version of AD is implementing the behavior
described in appendix A of the referrals draft.  It wants to change the
client-visible server name, and the way it does so is by returning a TGT
to the same realm with a PA-SVR-REFERRAL-DATA entry in the encrypted padata.

This should be easy enough to fix, since I have a test case in a local
AD realm.  If you are in a position to test a patch, I can furnish one;
otherwise it should hit a 1.9 patch release at some point.