MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2

Mark R Bannister mark at proseconsulting.co.uk
Tue Nov 15 09:32:55 EST 2011


On Mon 14/11/11 17:30 , Greg Hudson ghudson at MIT.EDU sent:
> On 11/14/2011 11:49 AM, Greg Hudson wrote:
> > I would expect 1.6.1 to send the TGS request with
> the canonicalize bit> set.  Can you look at the packet trace for 1.6.1
> (or post results if> you've already looked at it)?  Perhaps there's a
> difference there which> will explain the different outcome.
> 
> Nevermind, I think I know why 1.6.1 succeeds and 1.9 fails.  1.6
> through1.8 have a workaround for this specific AD behavior (fall back to a
> non-referral request if you get back a TGT to the same realm), and 1.9
> only has a workaround for a related but different behavior (fall back
> ifyou get a non-TGT service name other than the requested service)
> described in the same ticket (#4955).
> 
> I am guessing that this version of AD is implementing the behavior
> described in appendix A of the referrals draft.  It wants to change the
> client-visible server name, and the way it does so is by returning a
> TGTto the same realm with a PA-SVR-REFERRAL-DATA entry in the encrypted
> padata.
> This should be easy enough to fix, since I have a test case in a local
> AD realm.  If you are in a position to test a patch, I can furnish one;
> otherwise it should hit a 1.9 patch release at some point.

Yes please Greg, happy to test a patch.

Thanks,
Mark.





More information about the Kerberos mailing list